From 90a4fb1b858463db472e713d77acaf3670710a07 Mon Sep 17 00:00:00 2001 From: degenaro Date: Fri, 5 May 2023 10:06:48 -0400 Subject: [PATCH 01/14] fix OSCAL catalog version Also, put into data folder the original xlsx and .config files used by trestle task cis-xlsx-to-oscal-catalog. Signed-off-by: degenaro --- catalogs/ocp4-cis/catalog.json | 1696 ++++++++--------- ...Container_Platform_Benchmark_v1.2.0-2.xlsx | Bin 0 -> 120094 bytes data/cis-xlsx-ocp-to-oscal-catalog.config | 7 + 3 files changed, 855 insertions(+), 848 deletions(-) create mode 100644 data/CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx create mode 100644 data/cis-xlsx-ocp-to-oscal-catalog.config diff --git a/catalogs/ocp4-cis/catalog.json b/catalogs/ocp4-cis/catalog.json index 3ed34d7..bb91775 100644 --- a/catalogs/ocp4-cis/catalog.json +++ b/catalogs/ocp4-cis/catalog.json @@ -1,11 +1,11 @@ { "catalog": { - "uuid": "9d69e91b-523c-4915-89f1-92731b1b85f7", + "uuid": "2f097fb2-8126-4a60-bf17-1ccf59385a3b", "metadata": { "title": "CIS Red Hat OpenShift Container Platform Benchmark", - "last-modified": "2023-02-15T07:14:21.927553+00:00", - "version": "0.2.0", - "oscal-version": "1.0.2" + "last-modified": "2023-05-05T13:50:12+00:00", + "version": "v1.2.0-2", + "oscal-version": "1.0.4" }, "groups": [ { @@ -94,7 +94,7 @@ ], "links": [ { - "href": "#4fa8c2d3-6b4c-428a-a0bb-5e25f4bed301", + "href": "#8bb677a7-7b91-4f77-b721-85c544770893", "rel": "reference" } ], @@ -105,27 +105,27 @@ "prose": "Ensure that the API server pod specification file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.1_rationale_statement", + "id": "CIS-1.1.1_rat", "name": "rationale_statement", "prose": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable only by the administrators on the system." }, { - "id": "CIS-1.1.1_impact_statement", + "id": "CIS-1.1.1_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.1_remediation_procedure", + "id": "CIS-1.1.1_rem", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\n```" }, { - "id": "CIS-1.1.1_audit_procedure", + "id": "CIS-1.1.1_aud", "name": "audit_procedure", "prose": "OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.\n\nThe OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. \n\nThe Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 0644.\n\nTo verify pod specification file permissions for the kube-apiserver, run the following command.\n\n```\n#echo “check kube-apiserver pod specification file permissions”\n\nfor i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )\ndo\n oc exec -n openshift-kube-apiserver $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." }, { - "id": "CIS-1.1.1_CIS_Controls", + "id": "CIS-1.1.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -188,7 +188,7 @@ ], "links": [ { - "href": "#a17d309e-222a-44a5-b2df-e0239742208d", + "href": "#b4771c7c-b878-40ac-9e05-21476d348568", "rel": "reference" } ], @@ -199,27 +199,27 @@ "prose": "Ensure that the API server pod specification file ownership is set to `root:root`." }, { - "id": "CIS-1.1.2_rationale_statement", + "id": "CIS-1.1.2_rat", "name": "rationale_statement", "prose": "The API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.2_impact_statement", + "id": "CIS-1.1.2_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.2_remediation_procedure", + "id": "CIS-1.1.2_rem", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.2_audit_procedure", + "id": "CIS-1.1.2_aud", "name": "audit_procedure", "prose": "OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. \n\nThe OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. \n\nThe Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with ownership `root:root`.\n\nTo verify pod specification file ownership for the kube-apiserver, run the following command.\n\n```\n#echo “check kube-apiserver pod specification file ownership”\n\nfor i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )\ndo\n oc exec -n openshift-kube-apiserver $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\ndone\n```\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.2_CIS_Controls", + "id": "CIS-1.1.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -282,7 +282,7 @@ ], "links": [ { - "href": "#f7f556ab-234b-4a8a-a2ca-fec600e826de", + "href": "#b06b95e2-d73e-4e4d-a334-ae863bdd80d2", "rel": "reference" } ], @@ -293,27 +293,27 @@ "prose": "Ensure that the controller manager pod specification file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.3_rationale_statement", + "id": "CIS-1.1.3_rat", "name": "rationale_statement", "prose": "The controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.3_impact_statement", + "id": "CIS-1.1.3_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.3_remediation_procedure", + "id": "CIS-1.1.3_rem", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\n```" }, { - "id": "CIS-1.1.3_audit_procedure", + "id": "CIS-1.1.3_aud", "name": "audit_procedure", "prose": "OpenShift 4 deploys two controller managers: the OpenShift Controller manager and the Kube Controller manager. \n\nThe OpenShift Controller manager is managed as a deployment. The pod specification yaml for openshift-controller-manager is stored in etcd. \n\nThe Kube Controller manager is managed as a static pod. The pod specification file for the openshift-kube-controller-manager is created on control plane nodes at /etc/kubernetes/manifests/kube-controller-manager-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml with permissions 0644.\n\nTo verify pod specification file permissions for the kube-controller-manager, run the following command.\n\n```\n#echo \"check openshift-kube-controller-manager pod specification file permissions\"\n\nfor i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager)\ndo\n oc exec -n openshift-kube-controller-manager $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." }, { - "id": "CIS-1.1.3_CIS_Controls", + "id": "CIS-1.1.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -376,7 +376,7 @@ ], "links": [ { - "href": "#005c3423-193e-4db8-9ea4-a4535d6615dd", + "href": "#4d949458-3dce-4886-bcae-e8927b7f6b5b", "rel": "reference" } ], @@ -387,27 +387,27 @@ "prose": "Ensure that the controller manager pod specification file ownership is set to `root:root`." }, { - "id": "CIS-1.1.4_rationale_statement", + "id": "CIS-1.1.4_rat", "name": "rationale_statement", "prose": "The controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.4_impact_statement", + "id": "CIS-1.1.4_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.4_remediation_procedure", + "id": "CIS-1.1.4_rem", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.4_audit_procedure", + "id": "CIS-1.1.4_aud", "name": "audit_procedure", "prose": "OpenShift 4 deploys two controller managers: the OpenShift Controller manager and the Kube Controller manager. \n\nThe OpenShift Controller manager is managed as a deployment. The pod specification yaml for openshift-controller-manager is stored in etcd. \n\nThe Kube Controller manager is managed as a static pod. The pod specification file for the openshift-kube-controller-manager is created on control plane nodes at /etc/kubernetes/manifests/kube-controller-manager-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml with ownership root:root.\n\nRun the following command.\n\n```\n#echo “openshift-kube-controller-manager pod specification file ownership\"\n\nfor i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager)\ndo\n oc exec -n openshift-kube-controller-manager $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.4_CIS_Controls", + "id": "CIS-1.1.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -470,7 +470,7 @@ ], "links": [ { - "href": "#17caf35a-2d76-4359-8ff9-dc3b12f2a874", + "href": "#b926b009-736f-4256-aba4-f00d92a4250f", "rel": "reference" } ], @@ -481,27 +481,27 @@ "prose": "Ensure that the scheduler pod specification file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.5_rationale_statement", + "id": "CIS-1.1.5_rat", "name": "rationale_statement", "prose": "The scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.5_impact_statement", + "id": "CIS-1.1.5_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.5_remediation_procedure", + "id": "CIS-1.1.5_rem", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n```" }, { - "id": "CIS-1.1.5_audit_procedure", + "id": "CIS-1.1.5_aud", "name": "audit_procedure", "prose": "In OpenShift 4 the kube-scheduler is deployed as a static pod and its pod specification file is created on control plane nodes at /etc/kubernetes/manifests/kube-scheduler-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml with permissions 0644.\n\nTo verify, run the following command. \n\n```\n#Verify openshift-kube-scheduler permissions\n\nfor i in $(oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name)\n do\n oc exec -n openshift-kube-scheduler $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n done\n```\n\nVerify that the permissions are `600` or more restrictive." }, { - "id": "CIS-1.1.5_CIS_Controls", + "id": "CIS-1.1.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -564,7 +564,7 @@ ], "links": [ { - "href": "#ba265dc2-094e-48d5-a15a-8b982fb6d579", + "href": "#c0701093-fab7-42c3-920c-93a01dcfeb2d", "rel": "reference" } ], @@ -575,27 +575,27 @@ "prose": "Ensure that the scheduler pod specification file ownership is set to `root:root`." }, { - "id": "CIS-1.1.6_rationale_statement", + "id": "CIS-1.1.6_rat", "name": "rationale_statement", "prose": "The scheduler pod specification file controls various parameters that set the behavior of the `kube-scheduler` service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.6_impact_statement", + "id": "CIS-1.1.6_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.6_remediation_procedure", + "id": "CIS-1.1.6_rem", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.6_audit_procedure", + "id": "CIS-1.1.6_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the kube-scheduler is deployed as a static pod and its pod specification file is created on control plane nodes at /etc/kubernetes/manifests/kube-scheduler-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml with ownership `root:root`.\n\nRun the following command. \n\n```\n#Verify openshift-kube-scheduler ownership\nfor i in $(oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name)\n do\n oc exec -n openshift-kube-scheduler $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n done\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.6_CIS_Controls", + "id": "CIS-1.1.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -658,7 +658,7 @@ ], "links": [ { - "href": "#a66fe000-f5f1-4fe8-b67f-f2260dd22875", + "href": "#822f1e30-a21f-4cff-9c9d-5065b8f675b7", "rel": "reference" } ], @@ -669,27 +669,27 @@ "prose": "Ensure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.7_rationale_statement", + "id": "CIS-1.1.7_rat", "name": "rationale_statement", "prose": "The etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the `etcd` service in the master node. `etcd` is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.7_impact_statement", + "id": "CIS-1.1.7_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.7_remediation_procedure", + "id": "CIS-1.1.7_rem", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/manifests/etcd-pod.yaml\n```" }, { - "id": "CIS-1.1.7_audit_procedure", + "id": "CIS-1.1.7_aud", "name": "audit_procedure", "prose": "In OpenShift 4, starting with OpenShift 4.4, the etcd pod specification file is generated by the cluster etcd operator. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml` with permissions `644`.\n\nThe default etcd pod specification file is available here: [openshift/cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml)\n\nRun the following command.\n\n```\n#Verify openshift-etcd permissions\n\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )\ndo\n echo \"check pod $i\"\n oc rsh -n openshift-etcd $i \\\n stat -c %a /etc/kubernetes/manifests/etcd-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." }, { - "id": "CIS-1.1.7_CIS_Controls", + "id": "CIS-1.1.7_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -752,7 +752,7 @@ ], "links": [ { - "href": "#d14ae650-3329-416b-9a3b-bea168fe3742", + "href": "#e45552c2-8d5b-4d42-823f-0ddfed828273", "rel": "reference" } ], @@ -763,27 +763,27 @@ "prose": "Ensure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`." }, { - "id": "CIS-1.1.8_rationale_statement", + "id": "CIS-1.1.8_rat", "name": "rationale_statement", "prose": "The etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the `etcd` service in the master node. `etcd` is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.8_impact_statement", + "id": "CIS-1.1.8_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.8_remediation_procedure", + "id": "CIS-1.1.8_rem", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.8_audit_procedure", + "id": "CIS-1.1.8_aud", "name": "audit_procedure", "prose": "In OpenShift 4, starting with OpenShift 4.4, the etcd pod specification file is generated by the cluster etcd operator. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml` with ownership `root:root`.\n\nThe default etcd pod specification file is available here: [openshift/cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml)\n\nRun the following command :\n\n```\n#Verify openshift-etcd ownership\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )\ndo\n echo \"check pod $i\"\n oc rsh -n openshift-etcd $i \\\n stat -c %U:%G /etc/kubernetes/manifests/etcd-pod.yaml\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.8_CIS_Controls", + "id": "CIS-1.1.8_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -846,7 +846,7 @@ ], "links": [ { - "href": "#5864249f-943b-4f1c-9a21-2a0a42e92dea", + "href": "#ccaed7c9-7ce1-412a-aae5-cb53e37cc0c8", "rel": "reference" } ], @@ -857,27 +857,27 @@ "prose": "Ensure that the Container Network Interface files have permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.9_rationale_statement", + "id": "CIS-1.1.9_rat", "name": "rationale_statement", "prose": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.9_impact_statement", + "id": "CIS-1.1.9_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.9_remediation_procedure", + "id": "CIS-1.1.9_rem", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.9_audit_procedure", + "id": "CIS-1.1.9_aud", "name": "audit_procedure", "prose": "The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. \n\nEnsure that the Container Network Interface file permissions, multus, openshift-sdn and Open vSwitch (OVS) file permissions are set to 644 or more restrictive. The SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via hostpath but stored on the container hosts) are stored in the following locations:\n\nCNI/Multus (pod muluts):\n\n`/host/etc/cni/net.d = CNI_CONF_DIR`\n`/host/var/run/multus/cni/net.d = multus config dir`\n\nSDN (pod ovs; daemonset; app=ovs):\n\n`/var/lib/cni/networks/openshift-sdn `\n`/var/run/openshift-sdn`\n\nOVS (container openvswitch):\n\n`/var/run/openvswitch`\n`/etc/openvswitch`\n`/run/openvswitch`\n\nRun the following commands. \n\n```\n\n# For CNI multus\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%a %n\\\" /host/etc/cni/net.d/*.conf\"; done\n\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%a %n\\\" /host/var/run/multus/cni/net.d/*.conf\"; done\n\n# For SDN pods\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c %a {} \\;; done\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %a {} \\;; done\n\n# For OVS pods\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %a {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %a {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %a {} \\;; done \n```\n\nVerify that the config files for the CNI multus pods have permissions of 600 or more restrictive. \n\n`/host/etc/cni/net.d/00-multus.conf = 600`\n`/host/var/run/multus/cni/net.d/80-openshift-network.conf = 600`\n\nVerify that the SDN pods permissions are 600 or more restrictive.\n\n`/var/lib/cni/networks/openshift-sdn/* = 600`\n`/var/run/openshift-sdn/cniserver/config.json = 600`\n\nVerify that the OVS permissions are 600 or more restrictive.\n\n`/var/run/openvswitch/ovs-vswitchd.pid = 600`\n`/etc/openvswitch/conf.db = 600`\n`/etc/openvswitch/system-id.conf = 600`\n`/etc/openvswitch/.conf.db.~lock~ = 600`\n`/run/openvswitch/ovs-vswitchd.pid = 600`\n`/run/openvswitch/ovsdb-server.pid = 644`" }, { - "id": "CIS-1.1.9_CIS_Controls", + "id": "CIS-1.1.9_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -940,7 +940,7 @@ ], "links": [ { - "href": "#b679d699-ad77-45c7-9ed4-454a836b1031", + "href": "#8d4d808e-99b0-4181-815f-2a7b03e311f7", "rel": "reference" } ], @@ -951,27 +951,27 @@ "prose": "Ensure that the Container Network Interface files have ownership set to `root:root`." }, { - "id": "CIS-1.1.10_rationale_statement", + "id": "CIS-1.1.10_rat", "name": "rationale_statement", "prose": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be owned by `root:root`." }, { - "id": "CIS-1.1.10_impact_statement", + "id": "CIS-1.1.10_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.10_remediation_procedure", + "id": "CIS-1.1.10_rem", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.10_audit_procedure", + "id": "CIS-1.1.10_aud", "name": "audit_procedure", "prose": "The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. \n\nEnsure that the `multu` and `openshift-sdn` file ownership is set to root:root and the Open vSwitch (OVS) file ownership is set to `openvswitch:openvswitch`. \n\nThe SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via `hostpath` but stored on the container hosts) are stored in the following locations:\n\nCNI:\n\n`/etc/cni/net.d`\n`/host/var/run/multus/cni/net.d`\n\nSDN:\n\n`/var/lib/cni/networks/openshift-sdn `\n`/var/run/openshift-sdn`\n\nSDN OVS:\n\n`/var/run/openvswitch`\n`/etc/openvswitch`\n`/run/openvswitch`\n\nRun the following commands.\n\n```\n\n# For CNI multus\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%U:%G %n\\\" /host/etc/cni/net.d/*.conf\"; done\n\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%U:%G %n\\\" /host/var/run/multus/cni/net.d/*.conf\"; done\n\n# For SDN pods\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c \\\"%U:%G\\\" {} \\;; done\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %U:%G {} \\;; done\n\n# For OVS pods in 4.5\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\n# For OVS pods in 4.6\nTBD\n```\n\nVerify that the CNI and SDN file ownership is set to `root:root`.\n\n`/host/etc/cni/net.d/00-multus.conf = root:root`\n`/host/var/run/multus/cni/net.d/80-openshift-network.conf = root:root`\n`/var/lib/cni/networks/openshift-sdn = root:root`\n`/var/run/openshift-sdn = root:root`\n\nVerify that the OVS file ownership is set to `openvswitch:openvswitch`.\n\n`/var/run/openvswitch = openvswitch:openvswitch`\n`/etc/openvswitch = openvswitch:openvswitch`\n`/run/openvswitch = openvswitch:openvswitch`" }, { - "id": "CIS-1.1.10_CIS_Controls", + "id": "CIS-1.1.10_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -1034,7 +1034,7 @@ ], "links": [ { - "href": "#1436e335-5bdc-4339-aa7e-ded1e56b015c", + "href": "#57b03bf4-abef-4ffb-a8d5-83dd1e32a84f", "rel": "reference" } ], @@ -1045,27 +1045,27 @@ "prose": "Ensure that the etcd data directory has permissions of `700` or more restrictive." }, { - "id": "CIS-1.1.11_rationale_statement", + "id": "CIS-1.1.11_rat", "name": "rationale_statement", "prose": "`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world." }, { - "id": "CIS-1.1.11_impact_statement", + "id": "CIS-1.1.11_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.11_remediation_procedure", + "id": "CIS-1.1.11_rem", "name": "remediation_procedure", "prose": "No remediation required. File permissions are managed by the `etcd` operator." }, { - "id": "CIS-1.1.11_audit_procedure", + "id": "CIS-1.1.11_aud", "name": "audit_procedure", "prose": "In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml`. The `etcd` database is stored on the container host in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The permissions for this directory on the container host is `700`. \n\nStarting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers.\n\nRun the following commands.\n\n```\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %a%n /var/lib/etcd/member; done\n```\n\nVerify that the permissions are `700`." }, { - "id": "CIS-1.1.11_CIS_Controls", + "id": "CIS-1.1.11_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -1128,7 +1128,7 @@ ], "links": [ { - "href": "#28d31254-ad8d-47c5-a102-594b3db49a4c", + "href": "#4ed24380-ff84-471a-b732-d190144e9be3", "rel": "reference" } ], @@ -1139,27 +1139,27 @@ "prose": "Ensure that the `etcd` data directory ownership is set to `etcd:etcd`." }, { - "id": "CIS-1.1.12_rationale_statement", + "id": "CIS-1.1.12_rat", "name": "rationale_statement", "prose": "`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\nNOTE: The only users that exist on an RHCOS OpenShift node are root and core. This is intentional, as regular management of the underlying RHCOS cluster nodes is designed to be performed via the OpenShift API itself. The core user is a member of the wheel group, which gives it permission to use `sudo` for running privileged commands. Adding additional users at the node level is highly discouraged." }, { - "id": "CIS-1.1.12_impact_statement", + "id": "CIS-1.1.12_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.12_remediation_procedure", + "id": "CIS-1.1.12_rem", "name": "remediation_procedure", "prose": "No remediation required; file ownership is managed by the operator." }, { - "id": "CIS-1.1.12_audit_procedure", + "id": "CIS-1.1.12_aud", "name": "audit_procedure", "prose": "In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The `etcd` database is stored on the master nodes in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The ownership for this directory on the `etcd-member` container and on the container host is `root:root`. \n\nStarting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers.\n\nRun the following command.\n\n```\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %U:%G /var/lib/etcd/member; done\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.12_CIS_Controls", + "id": "CIS-1.1.12_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -1222,7 +1222,7 @@ ], "links": [ { - "href": "#5872a0ff-2aea-4191-a31b-d914bdc46ca5", + "href": "#ccba75f5-d463-4f61-ab24-1dfce255d5b1", "rel": "reference" } ], @@ -1233,27 +1233,27 @@ "prose": "Ensure that the `admin.conf` file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.13_rationale_statement", + "id": "CIS-1.1.13_rat", "name": "rationale_statement", "prose": "The `admin.conf` is the administrator `kubeconfig` file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.13_impact_statement", + "id": "CIS-1.1.13_imp", "name": "impact_statement", "prose": "None." }, { - "id": "CIS-1.1.13_remediation_procedure", + "id": "CIS-1.1.13_rem", "name": "remediation_procedure", "prose": "Execute the command below:\n\n```\nchmod 600 /etc/kubernetes/kubeconfig/admin.config\n```" }, { - "id": "CIS-1.1.13_audit_procedure", + "id": "CIS-1.1.13_aud", "name": "audit_procedure", "prose": "In OpenShift 4 the admin config file is stored in `/etc/kubernetes/kubeconfig` with permissions `644`.\n\nRun the following command.\n\n```\nfor i in $(oc get nodes -o name)\n do\n echo $i\n oc debug $i -- <.`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\nRun the following command:\n\n```\n# TLS Cert File - openshift-kube-apiserver\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.certFile\n\n# TLS Key File\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.keyFile\n```\n\nVerify that the following files exist.\n\n`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt` \n`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key`" }, { - "id": "CIS-1.2.30_CIS_Controls", + "id": "CIS-1.2.30_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -4908,7 +4908,7 @@ ], "links": [ { - "href": "#befe3b8f-c971-4274-9724-1df35e87491c", + "href": "#7f3c670d-2513-4acf-a814-6cba66af12b3", "rel": "reference" } ], @@ -4919,27 +4919,27 @@ "prose": "Setup TLS connection on the API server." }, { - "id": "CIS-1.2.31_rationale_statement", + "id": "CIS-1.2.31_rat", "name": "rationale_statement", "prose": "API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate." }, { - "id": "CIS-1.2.31_impact_statement", + "id": "CIS-1.2.31_imp", "name": "impact_statement", "prose": "TLS and client certificate authentication must be configured for your Kubernetes cluster deployment. By default, OpenShift uses X.509 certificates to provide secure connections between the API server and node/kubelet. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform alerting framework has rules to help identify when a certificate issue is about to occur. These rules consist of the following checks:\n\n- API server client certificate expiration is less than five minutes." }, { - "id": "CIS-1.2.31_remediation_procedure", + "id": "CIS-1.2.31_rem", "name": "remediation_procedure", "prose": "OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. \n\nYou may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\n```\nUser-provided certificates must be provided in a kubernetes.io/tls type Secret in the openshift-config namespace. Update the API server cluster configuration, the apiserver/cluster resource, to enable the use of the user-provided certificate.\n```" }, { - "id": "CIS-1.2.31_audit_procedure", + "id": "CIS-1.2.31_aud", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure connections between API server and node/kubelet by default. OpenShift configures the `client-ca-file` value and does not use value assigned to the `client-ca-file` flag. OpenShift generates the necessary files and sets the arguments appropriately. \n\nThe API server is accessible by clients external to the cluster at `api..`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\nRun the following command:\n\n```\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.clientCA\n```\n\nVerify that the following file exists.\n\n`/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt`" }, { - "id": "CIS-1.2.31_CIS_Controls", + "id": "CIS-1.2.31_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -5002,7 +5002,7 @@ ], "links": [ { - "href": "#145df28f-05bb-489e-a5f2-120c097942d7", + "href": "#3dab0d41-67da-4f36-9137-7e63b621682c", "rel": "reference" } ], @@ -5013,27 +5013,27 @@ "prose": "`etcd` should be configured to make use of TLS encryption for client connections." }, { - "id": "CIS-1.2.32_rationale_statement", + "id": "CIS-1.2.32_rat", "name": "rationale_statement", "prose": "`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the `etcd` server using a SSL Certificate Authority file." }, { - "id": "CIS-1.2.32_impact_statement", + "id": "CIS-1.2.32_imp", "name": "impact_statement", "prose": "TLS and client certificate authentication must be configured for `etcd`." }, { - "id": "CIS-1.2.32_remediation_procedure", + "id": "CIS-1.2.32_rem", "name": "remediation_procedure", "prose": "None required. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. Communication with `etcd` is secured by the `etcd` serving CA." }, { - "id": "CIS-1.2.32_audit_procedure", + "id": "CIS-1.2.32_aud", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift does not use values assigned to the `etcd-cafile` argument. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. OpenShift includes multiple certificate authorities (CAs) providing independent chains of trust, increasing the security posture of the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. Communication with `etcd` is secured by the `etcd` serving CA.\n\nRun the following command\n\n```\n# etcd CA File\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .storageConfig.ca\n\n# for ocp 4.6 replace jq -r .storageConfig.ca with\n jq -r '.apiServerArguments[\"etcd-cafile\"]'\n```\n\nVerify that the following is returned\n\n`/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt`" }, { - "id": "CIS-1.2.32_CIS_Controls", + "id": "CIS-1.2.32_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -5096,7 +5096,7 @@ ], "links": [ { - "href": "#d02d38ef-2e86-4dcf-a894-b44ddb562b12", + "href": "#5992b0b7-d2b0-47a3-b819-d13bdde29a68", "rel": "reference" } ], @@ -5107,27 +5107,27 @@ "prose": "Encrypt `etcd` key-value store." }, { - "id": "CIS-1.2.33_rationale_statement", + "id": "CIS-1.2.33_rat", "name": "rationale_statement", "prose": "`etcd` is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures." }, { - "id": "CIS-1.2.33_impact_statement", + "id": "CIS-1.2.33_imp", "name": "impact_statement", "prose": "When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:\n\n- Secrets\n- ConfigMaps\n- Routes\n- OAuth access tokens\n- OAuth authorize tokens\n\nWhen you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup." }, { - "id": "CIS-1.2.33_remediation_procedure", + "id": "CIS-1.2.33_rem", "name": "remediation_procedure", "prose": "Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)" }, { - "id": "CIS-1.2.33_audit_procedure", + "id": "CIS-1.2.33_aud", "name": "audit_procedure", "prose": "OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. Keys are stored on the filesystem of the master and automatically rotated.\n\nFollow the steps in the documentation to encrypt the `etcd` datastore: Encrypting [etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)\n\nRun the following command to review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully encrypted:\n\n```\n# encrypt the etcd datastore\noc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.reason}{\"\\n\"}{.message}{\"\\n\"}'\n```\n\nThe output shows `EncryptionCompleted` upon successful encryption. \n\n- `EncryptionCompleted`\n- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io`\n\nIf the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again." }, { - "id": "CIS-1.2.33_CIS_Controls", + "id": "CIS-1.2.33_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -5190,7 +5190,7 @@ ], "links": [ { - "href": "#9e782cd9-b388-4b72-ba8e-5ae74e2fc06f", + "href": "#1acc4a3c-6834-4fb0-bae1-d743511159c0", "rel": "reference" } ], @@ -5201,27 +5201,27 @@ "prose": "Where `etcd` encryption is used, appropriate providers should be configured." }, { - "id": "CIS-1.2.34_rationale_statement", + "id": "CIS-1.2.34_rat", "name": "rationale_statement", "prose": "Where `etcd` encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the `aescbc`, `kms` and `secretbox` are likely to be appropriate options." }, { - "id": "CIS-1.2.34_impact_statement", + "id": "CIS-1.2.34_imp", "name": "impact_statement", "prose": "When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:\n\n- Secrets\n- ConfigMaps\n- Routes\n- OAuth access tokens\n- OAuth authorize tokens\n\nWhen you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup." }, { - "id": "CIS-1.2.34_remediation_procedure", + "id": "CIS-1.2.34_rem", "name": "remediation_procedure", "prose": "Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)" }, { - "id": "CIS-1.2.34_audit_procedure", + "id": "CIS-1.2.34_aud", "name": "audit_procedure", "prose": "OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. No other ciphers are supported. Keys are stored on the filesystem of the master and automatically rotated.\n\nRun the following command to review the Encrypted status condition for the OpenShift API server to verify that its resources were successfully encrypted:\n\n```\n# encrypt the etcd datastore \noc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.reason}{\"\\n\"}{.message}{\"\\n\"}'\n```\n\nThe output shows EncryptionCompleted upon successful encryption. \n\n- `EncryptionCompleted`\n- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io`\n\nIf the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again." }, { - "id": "CIS-1.2.34_CIS_Controls", + "id": "CIS-1.2.34_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -5284,7 +5284,7 @@ ], "links": [ { - "href": "#22b065f6-0a4a-4564-86a1-e6a050ebbcca", + "href": "#e75501a2-c5f6-42b0-8c4c-56220a7d5321", "rel": "reference" } ], @@ -5295,27 +5295,27 @@ "prose": "Ensure that the API server is configured to only use strong cryptographic ciphers." }, { - "id": "CIS-1.2.35_rationale_statement", + "id": "CIS-1.2.35_rat", "name": "rationale_statement", "prose": "TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided." }, { - "id": "CIS-1.2.35_impact_statement", + "id": "CIS-1.2.35_imp", "name": "impact_statement", "prose": "API server clients that cannot support the custom cryptographic ciphers will not be able to make connections to the API server." }, { - "id": "CIS-1.2.35_remediation_procedure", + "id": "CIS-1.2.35_rem", "name": "remediation_procedure", "prose": "Follow the directions above and in the OpenShift documentation Configuring Ingress." }, { - "id": "CIS-1.2.35_audit_procedure", + "id": "CIS-1.2.35_aud", "name": "audit_procedure", "prose": "Ciphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types:\n\n- Old\n- Intermediate\n- Modern\n- Custom\n\nOnly the Old, Intermediate and Custom profiles are supported at this time. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress and the API server. [Ingress controller configuration parameters](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress)\n\nRun the following commands to verify the cipher suite and `minTLSversion` for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and `Kube APIserver`.\n\n```\n# verify cipher suites\noc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\\-0\\-config\\-system\\-cliconfig}' | jq .servingInfo\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\noc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\noc describe --namespace=openshift-ingress-operator ingresscontroller/default\n```\n\nVerify that the `tlsSecurityProfile` is set to the value you chose. \n\nNote: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2." }, { - "id": "CIS-1.2.35_CIS_Controls", + "id": "CIS-1.2.35_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;" } @@ -5393,7 +5393,7 @@ ], "links": [ { - "href": "#e3a167bb-1cbd-4137-b983-f58504c4e56a", + "href": "#614f36e5-a5e7-4fd1-b212-97d46635ab05", "rel": "reference" } ], @@ -5404,27 +5404,27 @@ "prose": "Activate garbage collector on pod termination, as appropriate." }, { - "id": "CIS-1.3.1_rationale_statement", + "id": "CIS-1.3.1_rat", "name": "rationale_statement", "prose": "Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection." }, { - "id": "CIS-1.3.1_impact_statement", + "id": "CIS-1.3.1_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.3.1_remediation_procedure", + "id": "CIS-1.3.1_rem", "name": "remediation_procedure", "prose": "To configure, follow the directions in [Configuring garbage collection for containers and images](\nhttps://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring)" }, { - "id": "CIS-1.3.1_audit_procedure", + "id": "CIS-1.3.1_aud", "name": "audit_procedure", "prose": "Two types of garbage collection are performed on an OpenShift Container Platform node: \n\n- Container garbage collection: Removes terminated containers.\n- Image garbage collection: Removes images not referenced by any running pods.\n\nContainer garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. Default values are found here https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604\n\nThe OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a `kubeletConfig` object for each Machine Config Pool using any combination of the following:\n\n- soft eviction for containers\n- hard eviction for containers\n- eviction for images\n\nTo configure, follow the directions in \n\nhttps://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring\n\nTo verify settings, run the following command for each updated `configpool`\n\n```\noc get machineconfigpool\n\n# For each machineconfigpool\noc describe machineconfigpool \n\n#For example\noc describe machineconfigpool master\noc describe machineconfigpool worker\n```\n\nVerify the values for the following are set as appropriate.\n\n`eviction-soft`\n`evictionSoftGracePeriod`\n`evictionHard`\n`evictionPressureTransitionPeriod`" }, { - "id": "CIS-1.3.1_CIS_Controls", + "id": "CIS-1.3.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Enable Anti-Exploitation Features CONTROL:v8 10.5 DESCRIPTION:Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.;TITLE:Establish Secure Configurations CONTROL:v7 5.1 DESCRIPTION:Maintain documented, standard security configuration standards for all authorized operating systems and software.;" } @@ -5487,7 +5487,7 @@ ], "links": [ { - "href": "#66d532eb-5316-4b56-9a65-2cb7a0905f7e", + "href": "#a0cd76ba-5b3b-4ede-8ad4-82ef0e89da65", "rel": "reference" } ], @@ -5498,27 +5498,27 @@ "prose": "Disable profiling, if not needed." }, { - "id": "CIS-1.3.2_rationale_statement", + "id": "CIS-1.3.2_rat", "name": "rationale_statement", "prose": "Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface." }, { - "id": "CIS-1.3.2_impact_statement", + "id": "CIS-1.3.2_imp", "name": "impact_statement", "prose": "Profiling information would not be available." }, { - "id": "CIS-1.3.2_remediation_procedure", + "id": "CIS-1.3.2_rem", "name": "remediation_procedure", "prose": "None required; profiling is protected by RBAC." }, { - "id": "CIS-1.3.2_audit_procedure", + "id": "CIS-1.3.2_aud", "name": "audit_procedure", "prose": "By default, the Controller Manager operator exposes metrics via the metrics service. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. \n\nProfiling can not be disabled. \n\nTo verify the configuration, run the following command:\n\nRun the following command:\n\n```\n# Verify configuration for ports, livenessProbe, readinessProbe, healthz\noc -n openshift-kube-controller-manager get cm kube-controller-manager-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# Verify endpoints\noc -n openshift-kube-controller-manager describe endpoints\n\n# Test to validate RBAC enabled on the controller endpoint; check with non-admin role\noc project openshift-kube-controller-manager\n\nPOD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}')\n\nPORT=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].spec.containers[0].ports[0].hostPort}')\n\n# Following should return 403 Forbidden\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -k\n\n# Create a service account to test RBAC\noc create -n openshift-kube-controller-manager sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa -n openshift-kube-controller-manager get-token permission-test-sa)\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete -n openshift-kube-controller-manager sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the livenessProbe and readinessProbe are set to path: `healthz`.\n\nVerify that regular users cannot learn anything about the controller manager.\n\nVerify that users with the cluster_admin role can retrieve metrics from the endpoint." }, { - "id": "CIS-1.3.2_CIS_Controls", + "id": "CIS-1.3.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -5576,7 +5576,7 @@ ], "links": [ { - "href": "#3505a93f-6a2a-47c9-b131-a82dff05e6bb", + "href": "#9a07f228-1b6b-4d05-993e-b5dff8aa4d04", "rel": "reference" } ], @@ -5587,27 +5587,27 @@ "prose": "Use individual service account credentials for each controller." }, { - "id": "CIS-1.3.3_rationale_statement", + "id": "CIS-1.3.3_rat", "name": "rationale_statement", "prose": "The controller manager creates a service account per controller in the `kube-system` namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks." }, { - "id": "CIS-1.3.3_impact_statement", + "id": "CIS-1.3.3_imp", "name": "impact_statement", "prose": "Whatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the `kube-system` namespace automatically with default roles and `rolebindings` that are auto-reconciled on startup.\n\nIf using other authorization methods (ABAC, Webhook, etc), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles." }, { - "id": "CIS-1.3.3_remediation_procedure", + "id": "CIS-1.3.3_rem", "name": "remediation_procedure", "prose": "The OpenShift Controller Manager operator manages and updates the OpenShift Controller Manager. The Kubernetes Controller Manager operator manages and updates the [Kubernetes Controller Manager](https://github.com/kubernetes/kubernetes) deployed on top of [OpenShift](https://openshift.io/). This operator is configured via [KubeControllerManager](https://github.com/openshift/api/blob/master/operator/v1/types_kubecontrollermanager.go) custom resource." }, { - "id": "CIS-1.3.3_audit_procedure", + "id": "CIS-1.3.3_aud", "name": "audit_procedure", "prose": "In OpenShift, `--use-service-account-credentials` is set to `true` by default for the Controller Manager. The bootstrap configuration and overrides are available here: \n\n[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml)\n\n[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml)\n\nRun the following command on the master node:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"use-service-account-credentials\"][]'\n```\n\nVerify that the `--use-service-account-credentials` argument is set to `true`." }, { - "id": "CIS-1.3.3_CIS_Controls", + "id": "CIS-1.3.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5665,7 +5665,7 @@ ], "links": [ { - "href": "#f9793b52-6b7b-4e7b-aae7-e19bbbc5fba4", + "href": "#521c91ea-b8cd-4ba1-be26-99997ff62041", "rel": "reference" } ], @@ -5676,27 +5676,27 @@ "prose": "Explicitly set a service account private key file for service accounts on the controller manager." }, { - "id": "CIS-1.3.4_rationale_statement", + "id": "CIS-1.3.4_rat", "name": "rationale_statement", "prose": "To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate." }, { - "id": "CIS-1.3.4_impact_statement", + "id": "CIS-1.3.4_imp", "name": "impact_statement", "prose": "You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy." }, { - "id": "CIS-1.3.4_remediation_procedure", + "id": "CIS-1.3.4_rem", "name": "remediation_procedure", "prose": "None required. OpenShift manages the service account credentials for the scheduler automatically." }, { - "id": "CIS-1.3.4_audit_procedure", + "id": "CIS-1.3.4_aud", "name": "audit_procedure", "prose": "OpenShift starts the Kubernetes Controller Manager with service-account-private-key-file set to `/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`. \n\nThe bootstrap configuration and overrides are available here: \n\n[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml)\n\n[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml)\n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"service-account-private-key-file\"][]'\n```\n\nVerify that the following is returned\n\n`/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`" }, { - "id": "CIS-1.3.4_CIS_Controls", + "id": "CIS-1.3.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5759,7 +5759,7 @@ ], "links": [ { - "href": "#619a4bf8-1ef8-440e-8b2f-b8eae6ff3e56", + "href": "#3d3a74dc-9186-4da4-b7d9-54a31fdc4ee4", "rel": "reference" } ], @@ -5770,27 +5770,27 @@ "prose": "Allow pods to verify the API server's serving certificate before establishing connections." }, { - "id": "CIS-1.3.5_rationale_statement", + "id": "CIS-1.3.5_rat", "name": "rationale_statement", "prose": "Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks.\n\nProviding the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server." }, { - "id": "CIS-1.3.5_impact_statement", + "id": "CIS-1.3.5_imp", "name": "impact_statement", "prose": "OpenShift clusters manage and maintain certificate authorities and certificates for cluster components." }, { - "id": "CIS-1.3.5_remediation_procedure", + "id": "CIS-1.3.5_rem", "name": "remediation_procedure", "prose": "None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform." }, { - "id": "CIS-1.3.5_audit_procedure", + "id": "CIS-1.3.5_aud", "name": "audit_procedure", "prose": "Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"root-ca-file\"][]'\n```\n\nVerify that the `--root-ca-file` argument exists and is set to `/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt`." }, { - "id": "CIS-1.3.5_CIS_Controls", + "id": "CIS-1.3.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5853,7 +5853,7 @@ ], "links": [ { - "href": "#6023ef46-fe27-4793-93b7-ce98ced8c51f", + "href": "#bb301df3-f9dc-47db-bb2a-43cfac62bbd0", "rel": "reference" } ], @@ -5864,27 +5864,27 @@ "prose": "Enable kubelet server certificate rotation on controller-manager." }, { - "id": "CIS-1.3.6_rationale_statement", + "id": "CIS-1.3.6_rat", "name": "rationale_statement", "prose": "`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." }, { - "id": "CIS-1.3.6_impact_statement", + "id": "CIS-1.3.6_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.3.6_remediation_procedure", + "id": "CIS-1.3.6_rem", "name": "remediation_procedure", "prose": "None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform." }, { - "id": "CIS-1.3.6_audit_procedure", + "id": "CIS-1.3.6_aud", "name": "audit_procedure", "prose": "Certificates for the kubelet are automatically created and rotated by the OpenShift Container Platform. The kubelet is installed automatically on every RHCOS node. The OpenShift `kubelet-serving-CA` manages certificates for the kubelet. Kubelet certificates are automatically issued and rotated. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq -r '.extendedArguments[\"feature-gates\"][]'\n```\n\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`." }, { - "id": "CIS-1.3.6_CIS_Controls", + "id": "CIS-1.3.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5947,7 +5947,7 @@ ], "links": [ { - "href": "#6ebf3416-fb70-4668-877f-7b32f2b95156", + "href": "#309dfb4c-b87f-4648-a2a4-52ecf44d4a80", "rel": "reference" } ], @@ -5958,27 +5958,27 @@ "prose": "Do not bind the Controller Manager service to non-loopback insecure addresses." }, { - "id": "CIS-1.3.7_rationale_statement", + "id": "CIS-1.3.7_rat", "name": "rationale_statement", "prose": "The Controller Manager API service which runs on port 10257/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface" }, { - "id": "CIS-1.3.7_impact_statement", + "id": "CIS-1.3.7_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.3.7_remediation_procedure", + "id": "CIS-1.3.7_rem", "name": "remediation_procedure", "prose": "None required. The OpenShift operators configure this correctly." }, { - "id": "CIS-1.3.7_audit_procedure", + "id": "CIS-1.3.7_aud", "name": "audit_procedure", "prose": "The `bind-address` argument is not used. The `secure-port` argument is set to `10257`. The `insecure-port` argument is set to `0`. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq '.extendedArguments[\"secure-port\"][]'\n\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq '.extendedArguments[\"port\"][]'\n\n#Following should fail with a http code 403\nPOD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}')\n\noc rsh -n openshift-kube-controller-manager -c kube-controller-manager $POD curl https://localhost:10257/metrics -k\n```\n\nVerify that `secure-port` is set to `10257` and that `port` is set to `0`.\n\nVerify that attempt to access the controller manager metrics fails with a HTTP code 403." }, { - "id": "CIS-1.3.7_CIS_Controls", + "id": "CIS-1.3.7_ctl", "name": "CIS_Controls", "prose": "TITLE:Use of Secure Network Management and Communication Protocols  CONTROL:v8 12.6 DESCRIPTION:Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -6061,7 +6061,7 @@ ], "links": [ { - "href": "#cbb79ba5-171a-4d74-b1c0-8320a2768d32", + "href": "#47a3fd6b-b95a-434d-915d-71b5afe6540b", "rel": "reference" } ], @@ -6072,27 +6072,27 @@ "prose": "Disable profiling, if not needed." }, { - "id": "CIS-1.4.1_rationale_statement", + "id": "CIS-1.4.1_rat", "name": "rationale_statement", "prose": "Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface." }, { - "id": "CIS-1.4.1_impact_statement", + "id": "CIS-1.4.1_imp", "name": "impact_statement", "prose": "Profiling information would not be available." }, { - "id": "CIS-1.4.1_remediation_procedure", + "id": "CIS-1.4.1_rem", "name": "remediation_procedure", "prose": "A fix to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488\n\nNone required. Profiling is protected by RBAC and cannot be disabled." }, { - "id": "CIS-1.4.1_audit_procedure", + "id": "CIS-1.4.1_aud", "name": "audit_procedure", "prose": "In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`\n\nTo ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. \n\nTo verify the configuration, run the following command:\n\nRun the following command:\n\n```\n# check configuration for ports, livenessProbe, readinessProbe, healthz\n\noc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# Test to verify endpoints\n\noc -n openshift-kube-scheduler describe endpoints\n\nTest to validate RBAC enabled on the scheduler endpoint; check with non-admin role\n\noc project openshift-kube-scheduler\n\nPOD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')\n\nPORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')\n\n# Should return 403 Forbidden\noc rsh ${POD} curl http://localhost:${PORT}/metrics -k\n\n# Create a service account to test RBAC\noc create sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa get-token permission-test-sa)\n\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the livenessProbe and readinessProbe are set to path: `healthz`.\n\nVerify that only users with the `cluster_admi`n role can retrieve metrics from the endpoint.\n\nVerify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" }, { - "id": "CIS-1.4.1_CIS_Controls", + "id": "CIS-1.4.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -6155,7 +6155,7 @@ ], "links": [ { - "href": "#2ff045aa-73f4-4a43-847e-2800c9103fc5", + "href": "#fe18577a-9838-40ad-8ea7-ca45972c4436", "rel": "reference" } ], @@ -6166,27 +6166,27 @@ "prose": "Do not bind the scheduler service to non-loopback insecure addresses." }, { - "id": "CIS-1.4.2_rationale_statement", + "id": "CIS-1.4.2_rat", "name": "rationale_statement", "prose": "The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface" }, { - "id": "CIS-1.4.2_impact_statement", + "id": "CIS-1.4.2_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.4.2_remediation_procedure", + "id": "CIS-1.4.2_rem", "name": "remediation_procedure", "prose": "By default, the `--bind-address` argument is not present, the readinessProbe and `livenessProbe` arguments are set to `10251` and the `port` argument is set to `0`.\n\nCheck the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" }, { - "id": "CIS-1.4.2_audit_procedure", + "id": "CIS-1.4.2_aud", "name": "audit_procedure", "prose": "In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`\n\nTo ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. \n\nThe bind-address argument is not used. Both authentication and authorization are in place.\n\nhttps://github.com/openshift/cluster-kube-scheduler-operator\n\nRun the following command:\n\n```\n# to verify endpoints\n\noc -n openshift-kube-scheduler describe endpoints\n\n# To verify that bind-adress is not used in the configuration and that port is set to 0\noc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# To test for RBAC: \noc project openshift-kube-scheduler\n\nPOD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')\n\nPOD_IP=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].status.podIP}')\n\nPORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')\n\n# Should return a 403\noc rsh ${POD} curl http://${POD_IP}:${PORT}/metrics\n\n# Create a service account to test RBAC\noc create sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa get-token permission-test-sa)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the --bind-address argument is not present and that `healthz` is bound to `port` `10251`.\n\nVerify that only users with the cluster_admin role can retrieve metrics from the endpoint.\n\nVerify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" }, { - "id": "CIS-1.4.2_CIS_Controls", + "id": "CIS-1.4.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v8 9.3 DESCRIPTION:Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -6271,7 +6271,7 @@ ], "links": [ { - "href": "#2f934076-115e-4a0e-a143-32b8ef9b6ac9", + "href": "#f5a5f692-9d11-4c31-a48a-eefeba268475", "rel": "reference" } ], @@ -6282,27 +6282,27 @@ "prose": "Configure TLS encryption for the `etcd` service." }, { - "id": "CIS-2.1_rationale_statement", + "id": "CIS-2.1_rat", "name": "rationale_statement", "prose": "`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit." }, { - "id": "CIS-2.1_impact_statement", + "id": "CIS-2.1_imp", "name": "impact_statement", "prose": "Client connections only over TLS would be served." }, { - "id": "CIS-2.1_remediation_procedure", + "id": "CIS-2.1_rem", "name": "remediation_procedure", "prose": "OpenShift does not use the `etcd-certfile` or `etcd-keyfil`e flags. Certificates for `etcd` are managed by the `etcd` cluster operator." }, { - "id": "CIS-2.1_audit_procedure", + "id": "CIS-2.1_aud", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift generates these files and sets the arguments appropriately. OpenShift does not use the `etcd-certfile` or `etcd-keyfile` flags. \n\nKeys and certificates for control plane components like `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` are stored with their respective static pod configurations in the directory `/etc/kubernetes/static-pod-resources/*/secrets`. \n\nRun the following command:\n\n```\n\n# For --cert-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--cert-file=[^ ]*\\).*/\\1/'\ndone\n\n# For --key-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--key-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that cert-file and key-file values are returned for each etcd member.\n`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.crt`\n`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.key`\n\nFor example:\n\n`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.crt`\n`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.key`" }, { - "id": "CIS-2.1_CIS_Controls", + "id": "CIS-2.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -6365,7 +6365,7 @@ ], "links": [ { - "href": "#04d99409-c5ca-4dca-b891-b54d04ea091c", + "href": "#832774b2-5950-4e10-83d9-0f216679461e", "rel": "reference" } ], @@ -6376,27 +6376,27 @@ "prose": "Enable client authentication on etcd service." }, { - "id": "CIS-2.2_rationale_statement", + "id": "CIS-2.2_rat", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service." }, { - "id": "CIS-2.2_impact_statement", + "id": "CIS-2.2_imp", "name": "impact_statement", "prose": "All clients attempting to access the etcd server will require a valid client certificate." }, { - "id": "CIS-2.2_remediation_procedure", + "id": "CIS-2.2_rem", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.2_audit_procedure", + "id": "CIS-2.2_aud", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift installation generates these files and sets the arguments appropriately. The following certificates are generated and used by etcd and other processes that communicate with etcd:\n\n- Client certificates: Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (`etcd-client`, `etcd-metric-client`, `etcd-metric-signer`, and `etcd-signer`) are added to the `openshift-config`, `openshift-monitoring`, and `openshift-kube-apiserver` namespaces.\n- Server certificates: Used by the etcd server for authenticating client requests.\n\nRun the following command on the etcd server node:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--client-cert-auth=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the `--client-cert-auth` argument is set to `true` for each etcd member." }, { - "id": "CIS-2.2_CIS_Controls", + "id": "CIS-2.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -6459,7 +6459,7 @@ ], "links": [ { - "href": "#99e79ffc-d5d4-4ad9-91c9-0115bfc0f6a2", + "href": "#a466cb1e-8796-4f5a-b1ac-989f33a2c7d9", "rel": "reference" } ], @@ -6470,27 +6470,27 @@ "prose": "Do not use self-signed certificates for TLS." }, { - "id": "CIS-2.3_rationale_statement", + "id": "CIS-2.3_rat", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service." }, { - "id": "CIS-2.3_impact_statement", + "id": "CIS-2.3_imp", "name": "impact_statement", "prose": "Clients will not be able to use self-signed certificates for TLS." }, { - "id": "CIS-2.3_remediation_procedure", + "id": "CIS-2.3_rem", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.3_audit_procedure", + "id": "CIS-2.3_aud", "name": "audit_procedure", "prose": "OpenShift configures etcd with secure communication. Openshift installs etcd as static pods on control plane nodes, and mounts the configuration files from /etc/etcd/ on the host. The `etcd.conf` file includes `auto-tls` configurations as referenced in `/etc/etcd/etcd.conf`. \n\nOpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. \n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n- Cluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\n# Returns 0 if found, 1 if not found\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; \\\n echo $?\ndone\n```\n\nVerify that 1 is returned for each etcd member." }, { - "id": "CIS-2.3_CIS_Controls", + "id": "CIS-2.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -6553,7 +6553,7 @@ ], "links": [ { - "href": "#c480cf85-174b-4355-b88d-00671113c7a1", + "href": "#af06202d-d39b-42b8-b4a7-930dea06a830", "rel": "reference" } ], @@ -6564,27 +6564,27 @@ "prose": "etcd should be configured to make use of TLS encryption for peer connections." }, { - "id": "CIS-2.4_rationale_statement", + "id": "CIS-2.4_rat", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters." }, { - "id": "CIS-2.4_impact_statement", + "id": "CIS-2.4_imp", "name": "impact_statement", "prose": "etcd cluster peers are set up TLS for their communication." }, { - "id": "CIS-2.4_remediation_procedure", + "id": "CIS-2.4_rem", "name": "remediation_procedure", "prose": "None. This configuration is managed by the etcd operator." }, { - "id": "CIS-2.4_audit_procedure", + "id": "CIS-2.4_aud", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members.\n\nOpenshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-cert-file` and `peer-key-file` configurations as referenced in `/etc/etcd/etcd.conf`.\n\nRun the following command:\n\n```\n\n# For --peer-cert-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-cert-file=[^ ]*\\).*/\\1/'\ndone\n\n# For --peer-key-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-key-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the following is returned for each etcd member.\n`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.crt`\n`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.key`\n\nFor example\n`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.crt`\n`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.key`" }, { - "id": "CIS-2.4_CIS_Controls", + "id": "CIS-2.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -6647,7 +6647,7 @@ ], "links": [ { - "href": "#04062f96-b445-49e4-b38d-4951b110f77b", + "href": "#74fd0641-3cae-435f-9e7d-ce6dcbe02b8f", "rel": "reference" } ], @@ -6658,27 +6658,27 @@ "prose": "etcd should be configured for peer authentication." }, { - "id": "CIS-2.5_rationale_statement", + "id": "CIS-2.5_rat", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster." }, { - "id": "CIS-2.5_impact_statement", + "id": "CIS-2.5_imp", "name": "impact_statement", "prose": "All peers attempting to communicate with the etcd server require a valid client certificate for authentication." }, { - "id": "CIS-2.5_remediation_procedure", + "id": "CIS-2.5_rem", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.5_audit_procedure", + "id": "CIS-2.5_aud", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members.\n\nOpenshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-client-cert-auth` configurations as referenced in `/etc/etcd/etcd.conf`. \n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-client-cert-auth=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the `--peer-client-cert-auth` argument is set to `true` for each etcd member." }, { - "id": "CIS-2.5_CIS_Controls", + "id": "CIS-2.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -6741,7 +6741,7 @@ ], "links": [ { - "href": "#634f886c-c6f9-4d79-98fe-a68ec9ce12db", + "href": "#4c66ba57-c10e-4697-a964-b046788fa4af", "rel": "reference" } ], @@ -6752,27 +6752,27 @@ "prose": "Do not use automatically generated self-signed certificates for TLS connections between peers." }, { - "id": "CIS-2.6_rationale_statement", + "id": "CIS-2.6_rat", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication." }, { - "id": "CIS-2.6_impact_statement", + "id": "CIS-2.6_imp", "name": "impact_statement", "prose": "All peers attempting to communicate with the etcd server require a valid client certificate for authentication." }, { - "id": "CIS-2.6_remediation_procedure", + "id": "CIS-2.6_rem", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.6_audit_procedure", + "id": "CIS-2.6_aud", "name": "audit_procedure", "prose": "OpenShift does not use the `--peer-auto-tls` argument. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that\n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n\nCluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\n# Returns 0 if found, 1 if not found\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; \\\n echo $?\ndone\n```\n\nVerify that 1 is returned for each etcd member." }, { - "id": "CIS-2.6_CIS_Controls", + "id": "CIS-2.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -6835,7 +6835,7 @@ ], "links": [ { - "href": "#2363ce8b-2795-4ad8-b608-b705247cb6ab", + "href": "#c88b42c3-268d-480d-be52-66741e503329", "rel": "reference" } ], @@ -6846,27 +6846,27 @@ "prose": "Use a different certificate authority for etcd from the one used for Kubernetes." }, { - "id": "CIS-2.7_rationale_statement", + "id": "CIS-2.7_rat", "name": "rationale_statement", "prose": "etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. Its access should be restricted to specifically designated clients and peers only.\n\nAuthentication to etcd is based on whether the certificate presented was issued by a trusted certificate authority. There is no checking of certificate attributes such as common name or subject alternative name. As such, if any attackers were able to gain access to any certificate issued by the trusted certificate authority, they would be able to gain full access to the etcd database." }, { - "id": "CIS-2.7_impact_statement", + "id": "CIS-2.7_imp", "name": "impact_statement", "prose": "Additional management of the certificates and keys for the dedicated certificate authority will be required." }, { - "id": "CIS-2.7_remediation_procedure", + "id": "CIS-2.7_rem", "name": "remediation_procedure", "prose": "None required. Certificates for etcd are managed by the OpenShift cluster etcd operator." }, { - "id": "CIS-2.7_audit_procedure", + "id": "CIS-2.7_aud", "name": "audit_procedure", "prose": "OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. OpenShift uses a separate CA for etcd.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that\n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n\nCluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--trusted-ca-file=[^ ]*\\).*/\\1/'\ndone\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-trusted-ca-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that `--trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt` and `--peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt` are returned for each member." }, { - "id": "CIS-2.7_CIS_Controls", + "id": "CIS-2.7_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -6960,7 +6960,7 @@ ], "links": [ { - "href": "#8ebb9358-103a-43af-b4c2-e186afa69e70", + "href": "#01409ae6-b0ad-475f-bfa7-2ee62ec12645", "rel": "reference" } ], @@ -6968,30 +6968,30 @@ { "id": "CIS-3.1.1_smt", "name": "statement", - "prose": "Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication." + "prose": "Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose.\n\nIt is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication." }, { - "id": "CIS-3.1.1_rationale_statement", + "id": "CIS-3.1.1_rat", "name": "rationale_statement", "prose": "With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation." }, { - "id": "CIS-3.1.1_impact_statement", + "id": "CIS-3.1.1_imp", "name": "impact_statement", "prose": "External mechanisms for authentication generally require additional software to be deployed." }, { - "id": "CIS-3.1.1_remediation_procedure", + "id": "CIS-3.1.1_rem", "name": "remediation_procedure", "prose": "Configure an identity provider for the OpenShift cluster. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html). Once an identity provider has been defined, you can use RBAC to define and apply permissions. After you define an identity provider and create a new `cluster-admin` user, remove the `kubeadmin` user to improve cluster security." }, { - "id": "CIS-3.1.1_audit_procedure", + "id": "CIS-3.1.1_aud", "name": "audit_procedure", "prose": "For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. [Understanding authentication | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html)\n\nThe OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html)\n\nRun the following commands:\n\n```\n\n# To verify user authentication is enabled\noc describe authentication\n\n# To verify that an identity provider is configured\noc get identity\n\n# To verify that a custom cluster-admin user exists\noc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User\n\n# To verity that kbueadmin is removed, no results should be returned\noc get secrets kubeadmin -n kube-system\n```\n\nVerify that authentication is running. \n\nVerify that at least one identity provider is configured.\n\nVerify that at least one user has cluster-admin role. For example\n`NAME: cluster-admin-0` `ROLE: cluster-admin` `SUBJECT:*.kind User`\n\nVerify that the `kubeadmin` user no longer exists" }, { - "id": "CIS-3.1.1_CIS_Controls", + "id": "CIS-3.1.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;" } @@ -7067,7 +7067,7 @@ ], "links": [ { - "href": "#c2f5eee5-88b7-438f-9493-c5746ff68ce2", + "href": "#ab0d220b-f42a-43e2-8a48-2956d0bd259b", "rel": "reference" } ], @@ -7078,27 +7078,27 @@ "prose": "Kubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled." }, { - "id": "CIS-3.2.1_rationale_statement", + "id": "CIS-3.2.1_rat", "name": "rationale_statement", "prose": "Logging is an important detective control for all systems, to detect potential unauthorised access." }, { - "id": "CIS-3.2.1_impact_statement", + "id": "CIS-3.2.1_imp", "name": "impact_statement", "prose": "Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes." }, { - "id": "CIS-3.2.1_remediation_procedure", + "id": "CIS-3.2.1_rem", "name": "remediation_procedure", "prose": "No remediation required." }, { - "id": "CIS-3.2.1_audit_procedure", + "id": "CIS-3.2.1_aud", "name": "audit_procedure", "prose": "In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:\n\nThe request line containing:\n\nA Unique ID allowing to match the response line (see #2)\n- The source IP of the request\n- The HTTP method being invoked\n- The original user invoking the operation\n- The impersonated user for the operation (self meaning himself)\n- The impersonated group for the operation (lookup meaning user’s group)\n- The namespace of the request or \n- The URI as requested\n\nThe response line containing:\n- The unique ID from #1\n- The response code\n\nYou can view logs for the OpenShift Container Platform API server or the Kubernetes API server for each master node. Follow the steps in documentation. [Viewing the audit log](https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-nodes-audit-log-basic-viewing_nodes-nodes-audit-log)\n\n```\n\n#To view kube apiserver log files\noc adm node-logs --role=master --path=kube-apiserver/\n\n#To view openshift apiserver log files\noc adm node-logs --role=master --path=openshift-apiserver/\n\n#To verify kube apiserver audit config\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig[]'\n\n#To verify openshift apiserver audit config\noc get configmap config -n openshift-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig[]'\n```\n\nVerify that log files are returned. \n\nVerify the audit log configuration." }, { - "id": "CIS-3.2.1_CIS_Controls", + "id": "CIS-3.2.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Activate audit logging CONTROL:v7 6.2 DESCRIPTION:Ensure that local logging has been enabled on all systems and networking devices.;" } @@ -7161,7 +7161,7 @@ ], "links": [ { - "href": "#86318b47-61fc-4f0e-ac04-fed8c9da28bd", + "href": "#40c249f0-75cc-4bc0-a918-0bd941c7f119", "rel": "reference" } ], @@ -7172,27 +7172,27 @@ "prose": "Ensure that the audit policy created for the cluster covers key security concerns." }, { - "id": "CIS-3.2.2_rationale_statement", + "id": "CIS-3.2.2_rat", "name": "rationale_statement", "prose": "Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment." }, { - "id": "CIS-3.2.2_impact_statement", + "id": "CIS-3.2.2_imp", "name": "impact_statement", "prose": "Increasing audit logging will consume resources on the nodes or other log destinations." }, { - "id": "CIS-3.2.2_remediation_procedure", + "id": "CIS-3.2.2_rem", "name": "remediation_procedure", "prose": "In OpenShift 4.6 and higher, if appropriate for your needs, modify the audit policy." }, { - "id": "CIS-3.2.2_audit_procedure", + "id": "CIS-3.2.2_aud", "name": "audit_procedure", "prose": "Review the audit policy provided for the cluster and ensure that it covers at least the following areas:\n\n- Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.\n- Modification of pod and deployment objects.\n- Use of `pods/exec`, `pods/portforward`, `pods/proxy and services/proxy`.\n\nFor most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).\n\nAudit policy is supported as of OpenShift 4.6, but not in earlier versions. You can configure the audit feature to set log level, retention policy, and the type of events to log. You can set the log level settings for an overall component or the API server to one of the following. The setting can be different for each setting.\n\n```\n\n#To verify openshift apiserver audit config\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig.policyConfiguration.rules[]'\n\n#To verify kube apiserver audit config\noc get configmap config -n openshift-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig.policyConfiguration.rules[]'\n```" }, { - "id": "CIS-3.2.2_CIS_Controls", + "id": "CIS-3.2.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Enforce Detail Logging for Access or Changes to Sensitive Data CONTROL:v7 14.9 DESCRIPTION:Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).;TITLE:Enforce Detailed Audit Logging For Sensitive Information CONTROL:v6 14.6 DESCRIPTION:Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.;" } @@ -7295,7 +7295,7 @@ ], "links": [ { - "href": "#5523abbc-69be-44aa-b8f0-0d7765282334", + "href": "#f9696bf0-c0b0-4185-bfb7-1e0ac9c8bbc2", "rel": "reference" } ], @@ -7306,27 +7306,27 @@ "prose": "Ensure that the kubelet service file has permissions of 600 or more restrictive." }, { - "id": "CIS-4.1.1_rationale_statement", + "id": "CIS-4.1.1_rat", "name": "rationale_statement", "prose": "The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.1_impact_statement", + "id": "CIS-4.1.1_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.1_remediation_procedure", + "id": "CIS-4.1.1_rem", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/systemd/system/kubelet.service\n```" }, { - "id": "CIS-4.1.1_audit_procedure", + "id": "CIS-4.1.1_aud", "name": "audit_procedure", "prose": "Kubelet is run as a `systemd` unit and its configuration file is created with `644` permissions.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the permissions are `600` or more restrictive." }, { - "id": "CIS-4.1.1_CIS_Controls", + "id": "CIS-4.1.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7389,7 +7389,7 @@ ], "links": [ { - "href": "#5ee947fa-4977-45ef-9514-b79a9a6f8f3b", + "href": "#bcea46e5-4512-402a-adb9-e634398e12c7", "rel": "reference" } ], @@ -7400,27 +7400,27 @@ "prose": "Ensure that the kubelet service file ownership is set to `root:root`." }, { - "id": "CIS-4.1.2_rationale_statement", + "id": "CIS-4.1.2_rat", "name": "rationale_statement", "prose": "The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.2_impact_statement", + "id": "CIS-4.1.2_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.2_remediation_procedure", + "id": "CIS-4.1.2_rem", "name": "remediation_procedure", "prose": "By default, the kubelet service file has ownership of `root:root`." }, { - "id": "CIS-4.1.2_audit_procedure", + "id": "CIS-4.1.2_aud", "name": "audit_procedure", "prose": "Run the following command:\n\n```\n\n# Should return root:root for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.2_CIS_Controls", + "id": "CIS-4.1.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -7483,7 +7483,7 @@ ], "links": [ { - "href": "#5c7d8368-40e9-4cca-9c90-c8a1505f9eb8", + "href": "#3dd2d4d7-e7ef-48e3-af9e-65c0f98ce54e", "rel": "reference" } ], @@ -7494,27 +7494,27 @@ "prose": "If `kube-proxy` is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.3_rationale_statement", + "id": "CIS-4.1.3_rat", "name": "rationale_statement", "prose": "The `kube-proxy` kubeconfig file controls various parameters of the `kube-proxy` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\nIt is possible to run `kube-proxy` with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file." }, { - "id": "CIS-4.1.3_impact_statement", + "id": "CIS-4.1.3_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.3_remediation_procedure", + "id": "CIS-4.1.3_rem", "name": "remediation_procedure", "prose": "execute command:\n\nchmod 600 /config/kube-proxy-config.yaml" }, { - "id": "CIS-4.1.3_audit_procedure", + "id": "CIS-4.1.3_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with `644` permissions.\n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname)\ndo\n oc exec -n openshift-sdn $i -- \\\n stat -Lc %a /config/kube-proxy-config.yaml\ndone\n```\n\nVerify that the `kube-proxy-config.yaml` file has permissions of `600`." }, { - "id": "CIS-4.1.3_CIS_Controls", + "id": "CIS-4.1.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7577,7 +7577,7 @@ ], "links": [ { - "href": "#201ef3a5-b95c-4b95-9ca6-041cc45753f3", + "href": "#5adc197e-0e49-4fb7-8515-f27bb0678df1", "rel": "reference" } ], @@ -7588,27 +7588,27 @@ "prose": "If `kube-proxy` is running, ensure that the file ownership of its kubeconfig file is set to `root:root`." }, { - "id": "CIS-4.1.4_rationale_statement", + "id": "CIS-4.1.4_rat", "name": "rationale_statement", "prose": "The kubeconfig file for `kube-proxy` controls various parameters for the `kube-proxy` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.4_impact_statement", + "id": "CIS-4.1.4_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.4_remediation_procedure", + "id": "CIS-4.1.4_rem", "name": "remediation_procedure", "prose": "None required. The configuration is managed by OpenShift operators." }, { - "id": "CIS-4.1.4_audit_procedure", + "id": "CIS-4.1.4_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with root:root ownership. \n\nRun the following command:\n\n```\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname)\ndo\n oc exec -n openshift-sdn $i -- \\\n stat -Lc %U:%G /config/kube-proxy-config.yaml\ndone\n```\n\nVerify that the `kube-proxy-config.yaml` file has ownership root:root." }, { - "id": "CIS-4.1.4_CIS_Controls", + "id": "CIS-4.1.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -7671,7 +7671,7 @@ ], "links": [ { - "href": "#2679f20e-d437-4fbd-94d3-9300deb20362", + "href": "#70faa058-f2af-4134-8837-af3f5f9feef3", "rel": "reference" } ], @@ -7682,27 +7682,27 @@ "prose": "Ensure that the `kubelet.conf` file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.5_rationale_statement", + "id": "CIS-4.1.5_rat", "name": "rationale_statement", "prose": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.5_impact_statement", + "id": "CIS-4.1.5_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.5_remediation_procedure", + "id": "CIS-4.1.5_rem", "name": "remediation_procedure", "prose": "run command:\n\n```\nchmod 600 /etc/kubernetes/kubelet.conf\n```" }, { - "id": "CIS-4.1.5_audit_procedure", + "id": "CIS-4.1.5_aud", "name": "audit_procedure", "prose": "The node's `kubeconfig` is created with `644` permissions. \n\nRun the following command:\n\n```\n# Check permissions\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/kubelet.conf\ndone\n```\n\nVerify that the permissions are `600`." }, { - "id": "CIS-4.1.5_CIS_Controls", + "id": "CIS-4.1.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7765,7 +7765,7 @@ ], "links": [ { - "href": "#efb94d9e-c91c-4b0b-8201-aa94f6c582b2", + "href": "#fb86cf83-bb72-4429-bd81-49a8cf5ff14e", "rel": "reference" } ], @@ -7776,27 +7776,27 @@ "prose": "Ensure that the `kubelet.conf` file ownership is set to `root:root`." }, { - "id": "CIS-4.1.6_rationale_statement", + "id": "CIS-4.1.6_rat", "name": "rationale_statement", "prose": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.6_impact_statement", + "id": "CIS-4.1.6_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.6_remediation_procedure", + "id": "CIS-4.1.6_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.6_audit_procedure", + "id": "CIS-4.1.6_aud", "name": "audit_procedure", "prose": "The node's `kubeconfig` is created with `root:root` ownership. \n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/kubelet.conf\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.6_CIS_Controls", + "id": "CIS-4.1.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -7859,7 +7859,7 @@ ], "links": [ { - "href": "#119a992c-26bc-44e0-819f-c53616338a13", + "href": "#9ded8000-d42b-4a39-af87-bc6e28a796f3", "rel": "reference" } ], @@ -7870,27 +7870,27 @@ "prose": "Ensure that the certificate authorities file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.7_rationale_statement", + "id": "CIS-4.1.7_rat", "name": "rationale_statement", "prose": "The certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.7_impact_statement", + "id": "CIS-4.1.7_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.7_remediation_procedure", + "id": "CIS-4.1.7_rem", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/cert/ca.pem\n```" }, { - "id": "CIS-4.1.7_audit_procedure", + "id": "CIS-4.1.7_aud", "name": "audit_procedure", "prose": "The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The \n`/etc/kubernetes/cert/kubelet-ca.crt` file has permissions `600`.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/cert/ca.pem\ndone\n```\n\nVerify that the permissions are `600`." }, { - "id": "CIS-4.1.7_CIS_Controls", + "id": "CIS-4.1.7_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7953,7 +7953,7 @@ ], "links": [ { - "href": "#472cc874-97ff-4a4c-81bd-a3b565232455", + "href": "#19499b83-fe98-4a2e-8493-c7210a52de61", "rel": "reference" } ], @@ -7964,27 +7964,27 @@ "prose": "Ensure that the certificate authorities file ownership is set to `root:root`." }, { - "id": "CIS-4.1.8_rationale_statement", + "id": "CIS-4.1.8_rat", "name": "rationale_statement", "prose": "The certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.8_impact_statement", + "id": "CIS-4.1.8_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.8_remediation_procedure", + "id": "CIS-4.1.8_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.8_audit_procedure", + "id": "CIS-4.1.8_aud", "name": "audit_procedure", "prose": "The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The \n`/etc/kubernetes/kubelet-ca.crt` file has ownership `root:root`.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/ca.pem\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.8_CIS_Controls", + "id": "CIS-4.1.8_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -8047,7 +8047,7 @@ ], "links": [ { - "href": "#cec3a4bf-70ae-4eeb-b412-a52803f2e0d6", + "href": "#51257190-348d-45c4-995f-213482f31bda", "rel": "reference" } ], @@ -8058,27 +8058,27 @@ "prose": "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.9_rationale_statement", + "id": "CIS-4.1.9_rat", "name": "rationale_statement", "prose": "The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.9_impact_statement", + "id": "CIS-4.1.9_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.9_remediation_procedure", + "id": "CIS-4.1.9_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.9_audit_procedure", + "id": "CIS-4.1.9_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the `kublet.conf` file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/config.json` with file permissions set to `600`.\n\nRun the command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /var/lib/kubelet/config.json\ndone\n```\n\nVerify that the permissions are `600`." }, { - "id": "CIS-4.1.9_CIS_Controls", + "id": "CIS-4.1.9_ctl", "name": "CIS_Controls", "prose": "TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;TITLE:Minimize And Sparingly Use Administrative Privileges CONTROL:v6 5.1 DESCRIPTION:Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.;" } @@ -8141,7 +8141,7 @@ ], "links": [ { - "href": "#daac5ddf-fd89-4f90-acbe-3eaa4706cfb4", + "href": "#d50db4b8-bea1-4e87-b70c-2cefd530c90a", "rel": "reference" } ], @@ -8152,27 +8152,27 @@ "prose": "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by `root:root`." }, { - "id": "CIS-4.1.10_rationale_statement", + "id": "CIS-4.1.10_rat", "name": "rationale_statement", "prose": "The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.10_impact_statement", + "id": "CIS-4.1.10_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.10_remediation_procedure", + "id": "CIS-4.1.10_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.10_audit_procedure", + "id": "CIS-4.1.10_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/kubeconfig` with ownership set to `root:root`.\n\nRun the command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /var/lib/kubelet/config.json\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.10_CIS_Controls", + "id": "CIS-4.1.10_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -8250,7 +8250,7 @@ ], "links": [ { - "href": "#edffbd8c-2ca8-456c-8ff8-759a7e369a87", + "href": "#4156bdf5-c46c-4799-a01c-c495a846073f", "rel": "reference" } ], @@ -8261,27 +8261,27 @@ "prose": "Disable anonymous requests to the Kubelet server." }, { - "id": "CIS-4.2.1_rationale_statement", + "id": "CIS-4.2.1_rat", "name": "rationale_statement", "prose": "When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests." }, { - "id": "CIS-4.2.1_impact_statement", + "id": "CIS-4.2.1_imp", "name": "impact_statement", "prose": "Anonymous requests will be rejected." }, { - "id": "CIS-4.2.1_remediation_procedure", + "id": "CIS-4.2.1_rem", "name": "remediation_procedure", "prose": "Follow the instructions in the documentation to create a Kubelet config CRD and set the `anonymous-auth` is set to `false`." }, { - "id": "CIS-4.2.1_audit_procedure", + "id": "CIS-4.2.1_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator and `anonymous-auth` is set to `false` by default.\n\nRun the following command on each node:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep -B4 -A1 anonymous: /etc/systemd/system/kubelet.conf\ndone\n```\n\nVerify that the `anonymous-auth` argument is set to `false`." }, { - "id": "CIS-4.2.1_CIS_Controls", + "id": "CIS-4.2.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -8339,7 +8339,7 @@ ], "links": [ { - "href": "#97c4e51f-69c2-48d6-8f3c-4820ce812ae7", + "href": "#5e1c910a-8d1d-410e-8d7f-1d072a024fa0", "rel": "reference" } ], @@ -8350,27 +8350,27 @@ "prose": "Do not allow all requests. Enable explicit authorization." }, { - "id": "CIS-4.2.2_rationale_statement", + "id": "CIS-4.2.2_rat", "name": "rationale_statement", "prose": "Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests." }, { - "id": "CIS-4.2.2_impact_statement", + "id": "CIS-4.2.2_imp", "name": "impact_statement", "prose": "Unauthorized requests will be denied." }, { - "id": "CIS-4.2.2_remediation_procedure", + "id": "CIS-4.2.2_rem", "name": "remediation_procedure", "prose": "None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes." }, { - "id": "CIS-4.2.2_audit_procedure", + "id": "CIS-4.2.2_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator. By default, Unauthenticated/Unauthorized users have no access to OpenShift nodes. Run the following command:\n\n```\n\n#In one terminal, run:\n oc proxy\n\n#Then in another terminal, run:\nfor name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}')\ndo \n curl -sS http://127.0.0.1:8080/api/v1/nodes/$name/proxy/configz | jq -r '.kubeletconfig.authorization.mode'\n done\n\n# Alternative without oc proxy\nPOD=$(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[0].metadata.name}')\n\nTOKEN=$(oc whoami -t)\n\nfor name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}')\ndo\n oc exec -n openshift-kube-apiserver $POD -- curl -sS https://172.25.0.1/api/v1/nodes/$name/proxy/configz -k -H \"Authorization: Bearer $TOKEN\" | jq -r '.kubeletconfig.authorization.mode'\ndone\n```\n\nVerify that access is not successful." }, { - "id": "CIS-4.2.2_CIS_Controls", + "id": "CIS-4.2.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -8428,7 +8428,7 @@ ], "links": [ { - "href": "#b0a79284-59f4-4b12-a7a4-b7fd73d32e36", + "href": "#c408887a-6ee5-4cc9-b911-aa10de086da4", "rel": "reference" } ], @@ -8439,27 +8439,27 @@ "prose": "Enable Kubelet authentication using certificates." }, { - "id": "CIS-4.2.3_rationale_statement", + "id": "CIS-4.2.3_rat", "name": "rationale_statement", "prose": "The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests." }, { - "id": "CIS-4.2.3_impact_statement", + "id": "CIS-4.2.3_imp", "name": "impact_statement", "prose": "You require TLS to be configured on apiserver as well as kubelets." }, { - "id": "CIS-4.2.3_remediation_procedure", + "id": "CIS-4.2.3_rem", "name": "remediation_procedure", "prose": "None required. Changing the `clientCAFile` value is unsupported." }, { - "id": "CIS-4.2.3_audit_procedure", + "id": "CIS-4.2.3_aud", "name": "audit_procedure", "prose": "OpenShift provides integrated management of certificates for internal cluster components. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. The Client CA location for the kubelet is defined in `/etc/kubernetes/kubelet.conf`. \n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep -B3 client-ca-file: /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the `clientCAFile` exists and is set to `/etc/kubernetes/kubelet-ca.crt`. The output should look like the following:\n\n```\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n x509:\n clientCAFile: /etc/kubernetes/kubelet-ca.crt\n```" }, { - "id": "CIS-4.2.3_CIS_Controls", + "id": "CIS-4.2.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -8517,7 +8517,7 @@ ], "links": [ { - "href": "#aad9d053-7481-4ef1-a443-dc6fe0aa3909", + "href": "#0a57128d-4803-49f8-b086-2969ee569eb4", "rel": "reference" } ], @@ -8528,27 +8528,27 @@ "prose": "Disable the read-only port." }, { - "id": "CIS-4.2.4_rationale_statement", + "id": "CIS-4.2.4_rat", "name": "rationale_statement", "prose": "The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster." }, { - "id": "CIS-4.2.4_impact_statement", + "id": "CIS-4.2.4_imp", "name": "impact_statement", "prose": "Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API." }, { - "id": "CIS-4.2.4_remediation_procedure", + "id": "CIS-4.2.4_rem", "name": "remediation_procedure", "prose": "In earlier versions of OpenShift 4, the `read-only-port` argument is not used. \n\nFollow the instructions in the documentation to create a Kubelet config CRD and set the `--read-only-port` is set to `0`." }, { - "id": "CIS-4.2.4_audit_procedure", + "id": "CIS-4.2.4_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the kubelet is managed by the Machine Config Operator. The kubelet config file is found at `/etc/kubernetes/kubelet.conf`. OpenShift disables the read-only port (10255) on all nodes by setting the `read-only-port` kubelet flag to 0 by default in OpenShift 4.6 and above. In OpenShift 4.5 and earlier, the `read-only-port` argument is not used. \n\nRun the following command:\n\n```\n\noc -n openshift-kube-apiserver get cm kube-apiserver-pod -o yaml | grep --color read-only-port\n\noc -n openshift-kube-apiserver get cm config -o yaml | grep --color \"read-only-port”\n```\n\nFor OpenShift 4.5, verify that nothing is returned. Configuration information is available here: https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141\n\nFor OpenShift 4.6, verify that the `read-only-port` is set to `0`." }, { - "id": "CIS-4.2.4_CIS_Controls", + "id": "CIS-4.2.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -8606,7 +8606,7 @@ ], "links": [ { - "href": "#25b0a20a-b36a-41b7-bd96-6fd4a7dfd325", + "href": "#1eece71c-cc88-463f-9a39-465f737b31c5", "rel": "reference" } ], @@ -8617,27 +8617,27 @@ "prose": "Do not disable timeouts on streaming connections." }, { - "id": "CIS-4.2.5_rationale_statement", + "id": "CIS-4.2.5_rat", "name": "rationale_statement", "prose": "Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports. \n\n**Note:** By default, `--streaming-connection-idle-timeout` is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases." }, { - "id": "CIS-4.2.5_impact_statement", + "id": "CIS-4.2.5_imp", "name": "impact_statement", "prose": "Long-lived connections could be interrupted." }, { - "id": "CIS-4.2.5_remediation_procedure", + "id": "CIS-4.2.5_rem", "name": "remediation_procedure", "prose": "Follow the instructions in the documentation to create a Kubelet config CRD and set the `--streaming-connection-idle-timeout` to the desired value. Do not set the value to `0`." }, { - "id": "CIS-4.2.5_audit_procedure", + "id": "CIS-4.2.5_aud", "name": "audit_procedure", "prose": "OpenShift uses the kubernetes default of 4 hours for the streaming-connection-idle-timeout argument. Unless the cluster administrator has added the value to the node configuration, the default will be used. The value is a timeout for HTTP streaming sessions going through a kubelet, like the port-forward, exec, or attach pod operations. The `streaming-connection-idle-timeout` should not be disabled by setting it to `zero`, but it can be lowered. Note that if the value is set too low, then users using those features may experience a service interruption due to the timeout. \n\nThe kubelet configuration is currently serialized as an ignition configuration, so it can be directly edited. However, there is also a new `kubelet-config-controller` added to the Machine Config Controller (MCC). This allows you to create a `KubeletConfig` custom resource (CR) to edit the kubelet parameters.\n\nRun the following command on each node:\n\n```\n\n# Should return 1 for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host ps -ef | grep kubelet | grep streaming-connection-idle-timeout\n echo $?\ndone\n\n# Should return 1 for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf\n echo $?\ndone\n```\n\nVerify that the `--streaming-connection-idle-timeout` argument is not set to `0`.\nIf the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to `0`." }, { - "id": "CIS-4.2.5_CIS_Controls", + "id": "CIS-4.2.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -8695,7 +8695,7 @@ ], "links": [ { - "href": "#fcb2eff5-95e4-4f94-b1c0-7fd3d06d829a", + "href": "#77ca7af9-cafc-406a-b735-b82415471bce", "rel": "reference" } ], @@ -8706,27 +8706,27 @@ "prose": "Protect tuned kernel parameters from overriding kubelet default kernel parameter values." }, { - "id": "CIS-4.2.6_rationale_statement", + "id": "CIS-4.2.6_rat", "name": "rationale_statement", "prose": "Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior." }, { - "id": "CIS-4.2.6_impact_statement", + "id": "CIS-4.2.6_imp", "name": "impact_statement", "prose": "You would have to re-tune kernel parameters to match kubelet parameters." }, { - "id": "CIS-4.2.6_remediation_procedure", + "id": "CIS-4.2.6_rem", "name": "remediation_procedure", "prose": "None required. The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start." }, { - "id": "CIS-4.2.6_audit_procedure", + "id": "CIS-4.2.6_aud", "name": "audit_procedure", "prose": "The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start.\n\nRun the following command:\n\n```\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n```\n\nVerify that protectKernelDefaults is not present." }, { - "id": "CIS-4.2.6_CIS_Controls", + "id": "CIS-4.2.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Deploy Automated Operating System Patch Management Tools CONTROL:v7 3.4 DESCRIPTION:Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.;" } @@ -8784,7 +8784,7 @@ ], "links": [ { - "href": "#576ebaa9-bb17-44ce-98cd-021442090ba2", + "href": "#b2679e66-bd6f-4791-9b35-0b85d81e5139", "rel": "reference" } ], @@ -8795,27 +8795,27 @@ "prose": "Allow Kubelet to manage iptables." }, { - "id": "CIS-4.2.7_rationale_statement", + "id": "CIS-4.2.7_rat", "name": "rationale_statement", "prose": "Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open." }, { - "id": "CIS-4.2.7_impact_statement", + "id": "CIS-4.2.7_imp", "name": "impact_statement", "prose": "Kubelet would manage the iptables on the system and keep it in sync. If you are using any other iptables management solution, then there might be some conflicts." }, { - "id": "CIS-4.2.7_remediation_procedure", + "id": "CIS-4.2.7_rem", "name": "remediation_procedure", "prose": "None required. The `--make-iptables-util-chains` argument is set to true by default." }, { - "id": "CIS-4.2.7_audit_procedure", + "id": "CIS-4.2.7_aud", "name": "audit_procedure", "prose": "OpenShift sets the `make-iptables-util-changes` argument to true by default. \n\nRun the following command:\n\n```\n\n/bin/bash\nflag=make-iptables-util-chains\nopt=makeIPTablesUtilChains\n\n# look at each machineconfigpool\n\nwhile read -r pool nodeconfig; do\n # true by default\n value='true'\n # first look for the flag\n oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.systemd[][] | select(.name==\"kubelet.service\") | .contents' | sed -n \"/^ExecStart=/,/^\\$/ { /^\\\\s*--$flag=false/ q 100 }\"\n # if the above command exited with 100, the flag was false\n [ $? == 100 ] && value='false'\n # now look in the yaml KubeletConfig\n yamlconfig=$(oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.storage.files[] | select(.path==\"/etc/kubernetes/kubelet.conf\") | .contents.source ' | sed 's/^data:,//' | while read; do echo -e ${REPLY//%/\\\\x}; done)\n echo \"$yamlconfig\" | sed -n \"/^$opt:\\\\s*false\\\\s*$/ q 100\"\n [ $? == 100 ] && value='false'\n echo \"Pool $pool has $flag ($opt) set to $value\"\ndone < <(oc get machineconfigpools -o json | jq -r '.items[] | select(.status.machineCount>0) | .metadata.name + \" \" + .spec.configuration.name')\n```\n\nVerify the `--make-iptables-util-chains` argument is set to true for each `machinepool`. \n\nFor example:\n`Pool master has make-iptables-util-chains (makeIPTablesUtilChains) set to true`\n`Pool worker has make-iptables-util-chains (makeIPTablesUtilChains) set to true`" }, { - "id": "CIS-4.2.7_CIS_Controls", + "id": "CIS-4.2.7_ctl", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enforce Access Control to Data through Automated Tools CONTROL:v7 14.7 DESCRIPTION:Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system.;" } @@ -8873,7 +8873,7 @@ ], "links": [ { - "href": "#df258d02-632c-46ba-b131-938998ac806f", + "href": "#71a16eb1-f934-4738-8b8d-4ad9bcdf285b", "rel": "reference" } ], @@ -8884,27 +8884,27 @@ "prose": "Do not override node hostnames." }, { - "id": "CIS-4.2.8_rationale_statement", + "id": "CIS-4.2.8_rat", "name": "rationale_statement", "prose": "Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs." }, { - "id": "CIS-4.2.8_impact_statement", + "id": "CIS-4.2.8_imp", "name": "impact_statement", "prose": "Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply." }, { - "id": "CIS-4.2.8_remediation_procedure", + "id": "CIS-4.2.8_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.2.8_audit_procedure", + "id": "CIS-4.2.8_aud", "name": "audit_procedure", "prose": "In OpenShift 4, the `--hostname-override` argument is not used. \n\nRun the following command on each machine pool. For example:\n\n```\noc get machineconfig 01-worker-kubelet -o yaml | grep hostname-override\noc get machineconfig 01-master-kubelet -o yaml | grep hostname-override\n```\n\nVerify that `--hostname-override` argument does not exist." }, { - "id": "CIS-4.2.8_CIS_Controls", + "id": "CIS-4.2.8_ctl", "name": "CIS_Controls", "prose": "TITLE:Use DNS Filtering Services CONTROL:v8 9.2 DESCRIPTION:Use DNS filtering services on all enterprise assets to block access to known malicious domains.;TITLE:Use of DNS Filtering Services CONTROL:v7 7.7 DESCRIPTION:Use DNS filtering services to help block access to known malicious domains.;" } @@ -8962,7 +8962,7 @@ ], "links": [ { - "href": "#1895214f-40e8-4615-b019-61940dfa98cd", + "href": "#b8ec980b-ad39-4593-81a2-3998c02a849f", "rel": "reference" } ], @@ -8973,27 +8973,27 @@ "prose": "Security relevant information should be captured. The `--event-qps` flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of `0` could result in a denial of service on the kubelet." }, { - "id": "CIS-4.2.9_rationale_statement", + "id": "CIS-4.2.9_rat", "name": "rationale_statement", "prose": "It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data." }, { - "id": "CIS-4.2.9_impact_statement", + "id": "CIS-4.2.9_imp", "name": "impact_statement", "prose": "Setting this parameter to `0` could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads." }, { - "id": "CIS-4.2.9_remediation_procedure", + "id": "CIS-4.2.9_rem", "name": "remediation_procedure", "prose": "Follow the documentation to edit kubelet parameters\n\nhttps://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters\n\n```\nKubeAPIQPS: \n```" }, { - "id": "CIS-4.2.9_audit_procedure", + "id": "CIS-4.2.9_aud", "name": "audit_procedure", "prose": "OpenShift uses the `kubeAPIQPS` argument and sets it to a default value of `50`. When this value is set to > 0, event creations per second are limited to the value set. If this value is set to `0`, event creations per second are unlimited.\n\nRun the following command on each machine pool. For example:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n\noc get machineconfig 01-worker-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050\n\noc get machineconfig 01-master-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050\n```\n\nReview the value set for the `kubeAPIQPS` argument and determine whether this has been set to an appropriate level for the cluster. If this value is set to `0`, event creations per second are unlimited." }, { - "id": "CIS-4.2.9_CIS_Controls", + "id": "CIS-4.2.9_ctl", "name": "CIS_Controls", "prose": "TITLE:Collect Detailed Audit Logs CONTROL:v8 8.5 DESCRIPTION:Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.;TITLE:Enable Command-line Audit Logging CONTROL:v7 8.8 DESCRIPTION:Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.;" } @@ -9051,7 +9051,7 @@ ], "links": [ { - "href": "#f1854ab5-825d-4054-9a85-32e73db22296", + "href": "#6686bf97-28d3-4b99-9e19-640474302bb1", "rel": "reference" } ], @@ -9062,27 +9062,27 @@ "prose": "Setup TLS connection on the Kubelets." }, { - "id": "CIS-4.2.10_rationale_statement", + "id": "CIS-4.2.10_rat", "name": "rationale_statement", "prose": "The connections from the `apiserver` to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the `apiserver` does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks." }, { - "id": "CIS-4.2.10_impact_statement", + "id": "CIS-4.2.10_imp", "name": "impact_statement", "prose": "TLS and client certificate authentication must be configured for your Kubernetes cluster deployment." }, { - "id": "CIS-4.2.10_remediation_procedure", + "id": "CIS-4.2.10_rem", "name": "remediation_procedure", "prose": "OpenShift automatically manages TLS authentication for the API server communication with the `node/kublet`. This is not configurable." }, { - "id": "CIS-4.2.10_audit_procedure", + "id": "CIS-4.2.10_aud", "name": "audit_procedure", "prose": "By default, OpenShift uses X.509 certificates to provide secure connections between the API server and `node/kubelet`. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform manages certificate rotation and the alerting framework has rules to help identify when a certificate issue is about to occur. \n\nRun the following command on each node:\n\n```\noc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data[\"config.yaml\"]' | jq '.kubeletClientInfo' \n```\n\nVerify that the `kubelet-client-certificate` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt`\n\nVerify that the `kubelet-client-key` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kublet-client/tls.key`" }, { - "id": "CIS-4.2.10_CIS_Controls", + "id": "CIS-4.2.10_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -9140,7 +9140,7 @@ ], "links": [ { - "href": "#ca0ebe3e-495e-4753-80a1-a9b809fe8fd1", + "href": "#2a5a9ff4-65f6-4eea-bfbd-56cb3a734454", "rel": "reference" } ], @@ -9151,27 +9151,27 @@ "prose": "Enable kubelet client certificate rotation." }, { - "id": "CIS-4.2.11_rationale_statement", + "id": "CIS-4.2.11_rat", "name": "rationale_statement", "prose": "The `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." }, { - "id": "CIS-4.2.11_impact_statement", + "id": "CIS-4.2.11_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.2.11_remediation_procedure", + "id": "CIS-4.2.11_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.2.11_audit_procedure", + "id": "CIS-4.2.11_aud", "name": "audit_procedure", "prose": "This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled. The feature gate is enabled by default.\n\nRun the following commands:\n\n```\n\n#Verify the rotateKubeletClientCertificate feature gate is not set to false\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host cat /etc/kubernetes/kubelet.conf | grep RotateKubeletClientCertificate\ndone\n\n# Verify the rotateCertificates argument is set to true\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf;\ndone\n```\n\nVerify that the `rotateKubeletClientCertificates` feature gate argument is not set to `false`.\n\nVerify that the `rotateCertificates` argument is set to `true`." }, { - "id": "CIS-4.2.11_CIS_Controls", + "id": "CIS-4.2.11_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -9229,7 +9229,7 @@ ], "links": [ { - "href": "#7fb3efc3-eb24-45a0-a08f-d321b903cd0d", + "href": "#25e569d4-5013-4c28-8ac4-b42c658e5130", "rel": "reference" } ], @@ -9240,27 +9240,27 @@ "prose": "Enable kubelet server certificate rotation." }, { - "id": "CIS-4.2.12_rationale_statement", + "id": "CIS-4.2.12_rat", "name": "rationale_statement", "prose": "`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." }, { - "id": "CIS-4.2.12_impact_statement", + "id": "CIS-4.2.12_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.2.12_remediation_procedure", + "id": "CIS-4.2.12_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.2.12_audit_procedure", + "id": "CIS-4.2.12_aud", "name": "audit_procedure", "prose": "Run the following command on each node:\n\n```\n\n#Verify the rotateKubeletServerCertificate feature gate is on \nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n\n# Verify the rotateCertificates argument is set to true\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf;\ndone\n```\n\nVerify that the `RotateKubeletServerCertificate` argument is set to `true`.\n\nVerify that the `rotateCertificates` argument is set to `true`" }, { - "id": "CIS-4.2.12_CIS_Controls", + "id": "CIS-4.2.12_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -9323,27 +9323,27 @@ "prose": "Ensure that the Kubelet is configured to only use strong cryptographic ciphers." }, { - "id": "CIS-4.2.13_rationale_statement", + "id": "CIS-4.2.13_rat", "name": "rationale_statement", "prose": "TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided." }, { - "id": "CIS-4.2.13_impact_statement", + "id": "CIS-4.2.13_imp", "name": "impact_statement", "prose": "Kubelet clients that cannot support modern cryptographic ciphers will not be able to make connections to the Kubelet API." }, { - "id": "CIS-4.2.13_remediation_procedure", + "id": "CIS-4.2.13_rem", "name": "remediation_procedure", "prose": "Follow the directions above and in the OpenShift documentation to configure the `tlsSecurityProfile`. [Configuring Ingress](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress)" }, { - "id": "CIS-4.2.13_audit_procedure", + "id": "CIS-4.2.13_aud", "name": "audit_procedure", "prose": "The set of cryptographic ciphers currently considered secure is the following:\n\n```\n TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_GCM_SHA256\n```\n\nCiphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types:\n\n- Old\n- Intermediate\n- Modern\n- Custom\n\nOnly the Old, Intermediate and Custom profiles are supported at this time for the Ingress controller. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress, API server and Authentication. https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress\n\nRun the following commands to verify the cipher suite and minTLSversion for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and Kube APIserver.\n\n```\n# needs verification\n\n# verify cipher suites\noc describe --namespace=openshift-ingress-operator ingresscontroller/default\n\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\n\noc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\n\noc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\\-0\\-config\\-system\\-cliconfig}' | jq .servingInfo\n\n#check value for tlsSecurityProfile; null is returned if default is used\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.tlsSecurityProfile\n```\n\nVerify that the cipher suites are appropriate. \n\nVerify that the `tlsSecurityProfile` is set to the value you chose. \n\nNote: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2." }, { - "id": "CIS-4.2.13_CIS_Controls", + "id": "CIS-4.2.13_ctl", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;TITLE:Address unapproved software CONTROL:v7 2.6 DESCRIPTION:Ensure that unauthorized software is either removed or the inventory is updated in a timely manner;" } @@ -9439,7 +9439,7 @@ ], "links": [ { - "href": "#bcc08c26-c8b2-4455-85b6-e329fcd34a19", + "href": "#a7a6baf7-d860-4e6d-8678-968ffdee1e01", "rel": "reference" } ], @@ -9450,27 +9450,27 @@ "prose": "The RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where and when needed." }, { - "id": "CIS-5.1.1_rationale_statement", + "id": "CIS-5.1.1_rat", "name": "rationale_statement", "prose": "Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as `cluster-admin` provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as `cluster-admin` allow super-user access to perform any action on any resource. When used in a `ClusterRoleBinding`, it gives full control over every resource in the cluster and in all namespaces. When used in a `RoleBinding`, it gives full control over every resource in the rolebinding's namespace, including the namespace itself." }, { - "id": "CIS-5.1.1_impact_statement", + "id": "CIS-5.1.1_imp", "name": "impact_statement", "prose": "Care should be taken before removing any `clusterrolebindings` from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to `clusterrolebindings` with the `system:` prefix as they are required for the operation of system components." }, { - "id": "CIS-5.1.1_remediation_procedure", + "id": "CIS-5.1.1_rem", "name": "remediation_procedure", "prose": "Identify all `clusterrolebindings` to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.\n\nWhere possible, first bind users to a lower privileged role and then remove the `clusterrolebinding` to the cluster-admin role :\n\n```\noc delete clusterrolebinding [name]\n```" }, { - "id": "CIS-5.1.1_audit_procedure", + "id": "CIS-5.1.1_aud", "name": "audit_procedure", "prose": "OpenShift provides a set of default cluster roles that you can bind to users and groups cluster-wide or locally (per project namespace). Be mindful of the difference between local and cluster bindings. For example, if you bind the cluster-admin role to a user by using a local role binding, it might appear that this user has the privileges of a cluster administrator. This is not the case. Binding the cluster-admin to a user in a project grants super administrator privileges for only that project to the user. You can use the oc CLI to view cluster roles and bindings by using the oc describe command. For more information, see [Default Cluster Roles](https://docs.openshift.com/container-platform/4.4/authentication/using-rbac.html#default-roles_using-rbac)\n\nSome of these roles such as cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin allow super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.\n\nReview users and groups bound to cluster-admin and decide whether they require such access. Consider creating least-privilege roles for users and service accounts.\n\nObtain a list of the principals who have access to the cluster-admin role by reviewing the `clusterrolebinding` output for each role binding that has access to the cluster-admin role.\n\n```\n# needs verification\n\n# To get a list of users and service accounts with the cluster-admin role\noc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin\n\n# To verity that kbueadmin is removed, no results should be returned\noc get secrets kubeadmin -n kube-system\n```\n\nReview each principal listed and ensure that cluster-admin privilege is required for it.\n\nVerify that the kubeadmin user no longer exists." }, { - "id": "CIS-5.1.1_CIS_Controls", + "id": "CIS-5.1.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -9538,27 +9538,27 @@ "prose": "The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation." }, { - "id": "CIS-5.1.2_rationale_statement", + "id": "CIS-5.1.2_rat", "name": "rationale_statement", "prose": "Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets." }, { - "id": "CIS-5.1.2_impact_statement", + "id": "CIS-5.1.2_imp", "name": "impact_statement", "prose": "Care should be taken not to remove access to secrets to system components which require this for their operation" }, { - "id": "CIS-5.1.2_remediation_procedure", + "id": "CIS-5.1.2_rem", "name": "remediation_procedure", "prose": "Where possible, remove `get`, `list` and `watch` access to `secret` objects in the cluster." }, { - "id": "CIS-5.1.2_audit_procedure", + "id": "CIS-5.1.2_aud", "name": "audit_procedure", "prose": "Review the users who have `get`, `list` or `watch` access to `secrets` objects in the Kubernetes API." }, { - "id": "CIS-5.1.2_CIS_Controls", + "id": "CIS-5.1.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.;" } @@ -9623,25 +9623,25 @@ { "id": "CIS-5.1.3_smt", "name": "statement", - "prose": "Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard \"*\" which matches all items. Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product." + "prose": "Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard \"*\" which matches all items. \n\nUse of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product." }, { - "id": "CIS-5.1.3_rationale_statement", + "id": "CIS-5.1.3_rat", "name": "rationale_statement", "prose": "The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API." }, { - "id": "CIS-5.1.3_remediation_procedure", + "id": "CIS-5.1.3_rem", "name": "remediation_procedure", "prose": "Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions." }, { - "id": "CIS-5.1.3_audit_procedure", + "id": "CIS-5.1.3_aud", "name": "audit_procedure", "prose": "Retrieve the roles defined across each namespaces in the cluster and review for wildcards\n\n```\n\noc get roles --all-namespaces -o yaml\n\nfor i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done\n```\n\nRetrieve the cluster roles defined in the cluster and review for wildcards\n\n```\noc get clusterroles -o yaml\n\nfor i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done\n```" }, { - "id": "CIS-5.1.3_CIS_Controls", + "id": "CIS-5.1.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;" } @@ -9706,30 +9706,30 @@ { "id": "CIS-5.1.4_smt", "name": "statement", - "prose": "The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access) As such, access to create new pods should be restricted to the smallest possible group of users." + "prose": "The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)\n\nAs such, access to create new pods should be restricted to the smallest possible group of users." }, { - "id": "CIS-5.1.4_rationale_statement", + "id": "CIS-5.1.4_rat", "name": "rationale_statement", "prose": "The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible." }, { - "id": "CIS-5.1.4_impact_statement", + "id": "CIS-5.1.4_imp", "name": "impact_statement", "prose": "Care should be taken not to remove access to pods to system components which require this for their operation" }, { - "id": "CIS-5.1.4_remediation_procedure", + "id": "CIS-5.1.4_rem", "name": "remediation_procedure", "prose": "Where possible, remove `create` access to `pod` objects in the cluster." }, { - "id": "CIS-5.1.4_audit_procedure", + "id": "CIS-5.1.4_aud", "name": "audit_procedure", "prose": "Review the users who have create access to pod objects in the Kubernetes API." }, { - "id": "CIS-5.1.4_CIS_Controls", + "id": "CIS-5.1.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Allowlist Authorized Scripts CONTROL:v8 2.7 DESCRIPTION:Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -9792,7 +9792,7 @@ ], "links": [ { - "href": "#7529501b-33d5-4e34-9865-699bb66c1d07", + "href": "#40ef7715-d34e-4299-b724-8db221ee316a", "rel": "reference" } ], @@ -9803,27 +9803,27 @@ "prose": "The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed." }, { - "id": "CIS-5.1.5_rationale_statement", + "id": "CIS-5.1.5_rat", "name": "rationale_statement", "prose": "Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod.\n\nWhere access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.\n\nThe default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments." }, { - "id": "CIS-5.1.5_impact_statement", + "id": "CIS-5.1.5_imp", "name": "impact_statement", "prose": "All workloads which require access to the Kubernetes API will require an explicit service account to be created." }, { - "id": "CIS-5.1.5_remediation_procedure", + "id": "CIS-5.1.5_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-5.1.5_audit_procedure", + "id": "CIS-5.1.5_aud", "name": "audit_procedure", "prose": "Every OpenShift project has its own service accounts. Every service account has an associated user name that can be granted roles, just like a regular user. The user name for each service account is derived from its project and the name of the service account. Service accounts are required in each project to run builds, deployments, and other pods. The default service accounts that are automatically created for each project are isolated by the project namespace." }, { - "id": "CIS-5.1.5_CIS_Controls", + "id": "CIS-5.1.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Disable Dormant Accounts CONTROL:v8 5.3 DESCRIPTION:Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.;TITLE:Disable Dormant Accounts CONTROL:v7 16.9 DESCRIPTION:Automatically disable dormant accounts after a set period of inactivity.;" } @@ -9886,7 +9886,7 @@ ], "links": [ { - "href": "#a27b3a4a-2bad-49d8-af3f-78a1df9ae814", + "href": "#734acfa7-8bcf-41c6-a204-39f69a614757", "rel": "reference" } ], @@ -9897,27 +9897,27 @@ "prose": "Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server" }, { - "id": "CIS-5.1.6_rationale_statement", + "id": "CIS-5.1.6_rat", "name": "rationale_statement", "prose": "Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.\n\nAvoiding mounting these tokens removes this attack avenue." }, { - "id": "CIS-5.1.6_impact_statement", + "id": "CIS-5.1.6_imp", "name": "impact_statement", "prose": "Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals." }, { - "id": "CIS-5.1.6_remediation_procedure", + "id": "CIS-5.1.6_rem", "name": "remediation_procedure", "prose": "Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it." }, { - "id": "CIS-5.1.6_audit_procedure", + "id": "CIS-5.1.6_aud", "name": "audit_procedure", "prose": "Review pod and service account objects in the cluster and ensure that the option below is set, unless the resource explicitly requires this access.\n\n```\nautomountServiceAccountToken: false\n```" }, { - "id": "CIS-5.1.6_CIS_Controls", + "id": "CIS-5.1.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.;" } @@ -10000,7 +10000,7 @@ ], "links": [ { - "href": "#343e2a40-49b5-4238-b2de-39c5a421c84b", + "href": "#a948d084-d975-48df-ae1d-7515cf8655ed", "rel": "reference" } ], @@ -10011,27 +10011,27 @@ "prose": "Do not generally permit containers to be run with the `securityContext.privileged` flag set to `true`." }, { - "id": "CIS-5.2.1_rationale_statement", + "id": "CIS-5.2.1_rat", "name": "rationale_statement", "prose": "Privileged containers have access to all Linux Kernel capabilities and devices. A container running with full privileges can do almost everything that the host can do. This flag exists to allow special use-cases, like manipulating the network stack and accessing devices.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit privileged containers.\n\nIf you need to run privileged containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.1_impact_statement", + "id": "CIS-5.2.1_imp", "name": "impact_statement", "prose": "Pods defined with `spec.containers[].securityContext.privileged: true` will not be permitted." }, { - "id": "CIS-5.2.1_remediation_procedure", + "id": "CIS-5.2.1_rem", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privileged` field is set to `false`." }, { - "id": "CIS-5.2.1_audit_procedure", + "id": "CIS-5.2.1_aud", "name": "audit_procedure", "prose": "The set of SCCs that admission uses to authorize a pod are determined by the user identity and groups that the user belongs to. Additionally, if the pod specifies a service account, the set of allowable SCCs includes any constraints accessible to the service account.\n\nAdmission uses the following approach to create the final security context for the pod:\n\n- Retrieve all SCCs available for use.\n- Generate field values for security context settings that were not specified on the request.\n- Validate the final settings against the available constraints.\n\nIf a matching set of constraints is found, then the pod is accepted. If the request cannot be matched to an SCC, the pod is rejected.\n\nA pod must validate every field against the SCC. \n\nGet the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether privileged is enabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Privileged\"; done\n```\n\nVerify that there is at least one SCC which does not have `Allow Privileged` set to `true`." }, { - "id": "CIS-5.2.1_CIS_Controls", + "id": "CIS-5.2.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -10094,7 +10094,7 @@ ], "links": [ { - "href": "#c6b36abb-ad36-4ca8-a53e-4d56cf82ef34", + "href": "#bdebcb0c-998e-4c8a-8286-4f8444ceb5eb", "rel": "reference" } ], @@ -10105,27 +10105,27 @@ "prose": "Do not generally permit containers to be run with the `hostPID` flag set to true." }, { - "id": "CIS-5.2.2_rationale_statement", + "id": "CIS-5.2.2_rat", "name": "rationale_statement", "prose": "A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host PID namespace.\n\nIf you need to run containers which require hostPID, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.2_impact_statement", + "id": "CIS-5.2.2_imp", "name": "impact_statement", "prose": "Pods defined with `Allow Host PID: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.2_remediation_procedure", + "id": "CIS-5.2.2_rem", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host PID` field is set to false." }, { - "id": "CIS-5.2.2_audit_procedure", + "id": "CIS-5.2.2_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether Allow Host PID is true:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host PID\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.2_CIS_Controls", + "id": "CIS-5.2.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10188,7 +10188,7 @@ ], "links": [ { - "href": "#2b29a9f1-2454-4959-ad8b-3bb2f0ed9c98", + "href": "#d9172411-f615-4e9f-a4dc-808a5ee0d534", "rel": "reference" } ], @@ -10199,27 +10199,27 @@ "prose": "Do not generally permit containers to be run with the `hostIPC` flag set to true." }, { - "id": "CIS-5.2.3_rationale_statement", + "id": "CIS-5.2.3_rat", "name": "rationale_statement", "prose": "A container running in the host's IPC namespace can use IPC to interact with processes outside the container.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host IPC namespace.\n\nIf you have a requirement to containers which require hostIPC, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.3_impact_statement", + "id": "CIS-5.2.3_imp", "name": "impact_statement", "prose": "Pods defined with `Allow Host IPC: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.3_remediation_procedure", + "id": "CIS-5.2.3_rem", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host IPC` field is set to `false`." }, { - "id": "CIS-5.2.3_audit_procedure", + "id": "CIS-5.2.3_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `Allow Host IPC` is enabled:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host IPC\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.3_CIS_Controls", + "id": "CIS-5.2.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.;" } @@ -10282,7 +10282,7 @@ ], "links": [ { - "href": "#3135b679-9654-4b06-ad69-c68486cd9029", + "href": "#1ad797e3-a3d5-40e1-8505-614c699bcb43", "rel": "reference" } ], @@ -10293,27 +10293,27 @@ "prose": "Do not generally permit containers to be run with the `hostNetwork` flag set to true." }, { - "id": "CIS-5.2.4_rationale_statement", + "id": "CIS-5.2.4_rat", "name": "rationale_statement", "prose": "A container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host network namespace.\n\nIf you have need to run containers which require hostNetwork, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.4_impact_statement", + "id": "CIS-5.2.4_imp", "name": "impact_statement", "prose": "Pods defined with `Allow Host Network: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.4_remediation_procedure", + "id": "CIS-5.2.4_rem", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host Network` field is omitted or set to `false`." }, { - "id": "CIS-5.2.4_audit_procedure", + "id": "CIS-5.2.4_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `Allow Host Network` is enabled:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host Network\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.4_CIS_Controls", + "id": "CIS-5.2.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Segment the Network Based on Sensitivity CONTROL:v7 14.1 DESCRIPTION:Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).;" } @@ -10376,7 +10376,7 @@ ], "links": [ { - "href": "#2b50adfc-1a99-4408-bc25-65a9be712705", + "href": "#4e1d8c4f-1146-40cc-b369-427d9d159ad1", "rel": "reference" } ], @@ -10387,27 +10387,27 @@ "prose": "Do not generally permit containers to be run with the `allowPrivilegeEscalation` flag set to `true`." }, { - "id": "CIS-5.2.5_rationale_statement", + "id": "CIS-5.2.5_rat", "name": "rationale_statement", "prose": "A container running with the `allowPrivilegeEscalation` flag set to `true` may have processes that can gain more privileges than their parent.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run.\n\nIf you have need to run containers which use setuid binaries or require privilege escalation, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.5_impact_statement", + "id": "CIS-5.2.5_imp", "name": "impact_statement", "prose": "Pods defined with `Allow Privilege Escalation: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.5_remediation_procedure", + "id": "CIS-5.2.5_rem", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privilege Escalation` field is set to `false`." }, { - "id": "CIS-5.2.5_audit_procedure", + "id": "CIS-5.2.5_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether privileged is enabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Privilege Escalation\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.5_CIS_Controls", + "id": "CIS-5.2.5_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -10470,7 +10470,7 @@ ], "links": [ { - "href": "#02bd932b-86f2-40ea-b393-127c921dbb1b", + "href": "#d871d223-f64d-413a-a7ed-d8e32d56c318", "rel": "reference" } ], @@ -10481,27 +10481,27 @@ "prose": "Do not generally permit containers to be run as the root user." }, { - "id": "CIS-5.2.6_rationale_statement", + "id": "CIS-5.2.6_rat", "name": "rationale_statement", "prose": "Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have an escalated likelihood of container breakout.\n\nIdeally, all containers should run as a defined non-UID 0 user.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit root users in a container.\n\nIf you need to run root containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.6_impact_statement", + "id": "CIS-5.2.6_imp", "name": "impact_statement", "prose": "Pods with containers which run as the root user will not be permitted." }, { - "id": "CIS-5.2.6_remediation_procedure", + "id": "CIS-5.2.6_rem", "name": "remediation_procedure", "prose": "None required. By default, OpenShift includes the non-root SCC with the the `Run As User Strategy` is set to either `MustRunAsNonRoot`. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs." }, { - "id": "CIS-5.2.6_audit_procedure", + "id": "CIS-5.2.6_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether running containers as root is enabled:\n\n```\n# needs verification\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Run As User Strategy\"; done\n\n#For SCCs with MustRunAs verify that the range of UIDs does not include 0\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"\\sUID\"; done\n```\n\nVerify that there is at least one SCC which returns `MustRunAsNonRoot` or one SCC which returns `MustRunAs` with the range of UIDs not including 0." }, { - "id": "CIS-5.2.6_CIS_Controls", + "id": "CIS-5.2.6_ctl", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -10564,7 +10564,7 @@ ], "links": [ { - "href": "#bc77b6a9-1889-46db-b22f-75a7dc0ead87", + "href": "#6f9b020d-b90e-4e4f-9581-a656e1a80216", "rel": "reference" } ], @@ -10575,27 +10575,27 @@ "prose": "Do not generally permit containers with the potentially dangerous NET_RAW capability." }, { - "id": "CIS-5.2.7_rationale_statement", + "id": "CIS-5.2.7_rat", "name": "rationale_statement", "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. By default this can include potentially dangerous capabilities. With Docker as the container runtime the NET_RAW capability is enabled which may be misused by malicious containers.\n\nIdeally, all containers should drop this capability.\n\nThere should be at least one Security Context Constraint (SCC) defined which prevents containers with the NET_RAW capability from launching.\n\nIf you need to run containers with this capability, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.7_impact_statement", + "id": "CIS-5.2.7_imp", "name": "impact_statement", "prose": "Pods with containers which run with the NET_RAW capability will not be permitted." }, { - "id": "CIS-5.2.7_remediation_procedure", + "id": "CIS-5.2.7_rem", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Required Drop Capabilities` is set to include either `NET_RAW` or `ALL`." }, { - "id": "CIS-5.2.7_audit_procedure", + "id": "CIS-5.2.7_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `NET_RAW` is disabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Required Drop Capabilities\"; done\n```\n\nVerify that there is at least one SCC which returns `NET_RAW` or `ALL`." }, { - "id": "CIS-5.2.7_CIS_Controls", + "id": "CIS-5.2.7_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10658,7 +10658,7 @@ ], "links": [ { - "href": "#07a1f737-1346-490e-be2b-542bcb5153c3", + "href": "#3fd49788-15e2-4948-9efe-6476e43153f9", "rel": "reference" } ], @@ -10669,27 +10669,27 @@ "prose": "Do not generally permit containers with capabilities assigned beyond the default set." }, { - "id": "CIS-5.2.8_rationale_statement", + "id": "CIS-5.2.8_rat", "name": "rationale_statement", "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks.\n\nThere should be at least one Security Context Constraint (SCC) defined which prevents containers with capabilities beyond the default set from launching.\n\nIf you need to run containers with additional capabilities, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.8_impact_statement", + "id": "CIS-5.2.8_imp", "name": "impact_statement", "prose": "Pods with containers which require capabilities outside the default set will not be permitted." }, { - "id": "CIS-5.2.8_remediation_procedure", + "id": "CIS-5.2.8_rem", "name": "remediation_procedure", "prose": "Ensure that `Allowed Capabilities` is set to an empty array for every SCC in the cluster except for the `privileged` SCC." }, { - "id": "CIS-5.2.8_audit_procedure", + "id": "CIS-5.2.8_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check the values for `Allowed Capabilities`:\n\n```\n\noc describe scc | grep “Default Add Capabilities”\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allowed Capabilities\"; done\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Default Add Capabilities\"; done\n```\n\nMinimize the number of SCCs that have `Allowed Capabilities` set to anything other than an empty array.\n\nMinimize the number of SCCs that have `Default Add Capabilities` set to anything other than an empty array." }, { - "id": "CIS-5.2.8_CIS_Controls", + "id": "CIS-5.2.8_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10752,7 +10752,7 @@ ], "links": [ { - "href": "#9abe2b7a-f6a4-4f9a-9e11-bcfe5036f2ac", + "href": "#5883459b-fe6c-4243-a28c-74542f102e6b", "rel": "reference" } ], @@ -10763,27 +10763,27 @@ "prose": "Do not generally permit containers with capabilities" }, { - "id": "CIS-5.2.9_rationale_statement", + "id": "CIS-5.2.9_rat", "name": "rationale_statement", "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user.\n\nIn many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized." }, { - "id": "CIS-5.2.9_impact_statement", + "id": "CIS-5.2.9_imp", "name": "impact_statement", "prose": "Pods with containers which require capabilities to operate will not be permitted." }, { - "id": "CIS-5.2.9_remediation_procedure", + "id": "CIS-5.2.9_rem", "name": "remediation_procedure", "prose": "Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities." }, { - "id": "CIS-5.2.9_audit_procedure", + "id": "CIS-5.2.9_aud", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether capabilities have been forbidden:\n\n```\noc describe scc | grep “Required Drop Capabilities”\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Required Drop Capabilities\"; done\n```" }, { - "id": "CIS-5.2.9_CIS_Controls", + "id": "CIS-5.2.9_ctl", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10859,7 +10859,7 @@ ], "links": [ { - "href": "#de4f7379-b991-4a36-986c-775f51d15ce7", + "href": "#8a214a7c-1583-4195-bea0-27a40ff87310", "rel": "reference" } ], @@ -10870,27 +10870,27 @@ "prose": "There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster." }, { - "id": "CIS-5.3.1_rationale_statement", + "id": "CIS-5.3.1_rat", "name": "rationale_statement", "prose": "Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies." }, { - "id": "CIS-5.3.1_impact_statement", + "id": "CIS-5.3.1_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-5.3.1_remediation_procedure", + "id": "CIS-5.3.1_rem", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-5.3.1_audit_procedure", + "id": "CIS-5.3.1_aud", "name": "audit_procedure", "prose": "Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies.\n\nOpenShift Container Platform uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between Pods across the OpenShift Container Platform cluster. This Pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS). The OpenShift SDN uses Network Policies. The OpenShift SDN CNI plug-in provides all Kubernetes v1 NetworkPolicy features except for egress policy types and IPBlock. However, OpenShift provides means to implement fine grained filtering of egress traffic. OpenShift provides several options for controlling the traffic leaving the cluster. These options are :\n\n- Egress firewall\n- Egress routers\n- Egress static IP" }, { - "id": "CIS-5.3.1_CIS_Controls", + "id": "CIS-5.3.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.;" } @@ -10953,7 +10953,7 @@ ], "links": [ { - "href": "#3956167d-c231-4fdf-9b5d-8f4523d33d96", + "href": "#f31c52ec-13fd-43f0-894e-ea44f1d89192", "rel": "reference" } ], @@ -10964,27 +10964,27 @@ "prose": "Use network policies to isolate traffic in your cluster network." }, { - "id": "CIS-5.3.2_rationale_statement", + "id": "CIS-5.3.2_rat", "name": "rationale_statement", "prose": "Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints.\n\nOnce there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic" }, { - "id": "CIS-5.3.2_impact_statement", + "id": "CIS-5.3.2_imp", "name": "impact_statement", "prose": "Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic\"" }, { - "id": "CIS-5.3.2_remediation_procedure", + "id": "CIS-5.3.2_rem", "name": "remediation_procedure", "prose": "Follow the documentation and create `NetworkPolicy` objects as you need them." }, { - "id": "CIS-5.3.2_audit_procedure", + "id": "CIS-5.3.2_aud", "name": "audit_procedure", "prose": "The OpenShift 4 CNI plugin uses network policies and by default all Pods in a project are accessible from other Pods and network endpoints. To isolate one or more Pods in a project, you create NetworkPolicy objects in that project to indicate the allowed incoming connections. Project administrators can create and delete NetworkPolicy objects within their own project. For more information see: \n\nRun the following command and review the `NetworkPolicy` objects created in the cluster.\n\n```\noc -n all get networkpolicy\n```\n\nEnsure that each namespace defined in the cluster has at least one Network Policy." }, { - "id": "CIS-5.3.2_CIS_Controls", + "id": "CIS-5.3.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enable Firewall Filtering Between VLANs CONTROL:v7 14.2 DESCRIPTION:Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.;" } @@ -11060,7 +11060,7 @@ ], "links": [ { - "href": "#8d22ae4e-39b2-4a2d-b875-f3f7c340b70a", + "href": "#22c05cd2-11a1-4406-aad3-c2fe508895bc", "rel": "reference" } ], @@ -11071,27 +11071,27 @@ "prose": "Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets." }, { - "id": "CIS-5.4.1_rationale_statement", + "id": "CIS-5.4.1_rat", "name": "rationale_statement", "prose": "It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs." }, { - "id": "CIS-5.4.1_impact_statement", + "id": "CIS-5.4.1_imp", "name": "impact_statement", "prose": "Application code which expects to read secrets in the form of environment variables would need modification" }, { - "id": "CIS-5.4.1_remediation_procedure", + "id": "CIS-5.4.1_rem", "name": "remediation_procedure", "prose": "If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables." }, { - "id": "CIS-5.4.1_audit_procedure", + "id": "CIS-5.4.1_aud", "name": "audit_procedure", "prose": "Information about ways to provide sensitive data to pods is included in the documentation. \n[Providing sensitive data to pods](https://docs.openshift.com/container-platform/4.5/nodes/pods/nodes-pods-secrets.html)\nRun the following command to find references to objects which use environment variables defined from secrets.\n\n```\noc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {\"\\n\"}{end}' -A\n```" }, { - "id": "CIS-5.4.1_CIS_Controls", + "id": "CIS-5.4.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -11159,27 +11159,27 @@ "prose": "Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets." }, { - "id": "CIS-5.4.2_rationale_statement", + "id": "CIS-5.4.2_rat", "name": "rationale_statement", "prose": "Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments." }, { - "id": "CIS-5.4.2_impact_statement", + "id": "CIS-5.4.2_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-5.4.2_remediation_procedure", + "id": "CIS-5.4.2_rem", "name": "remediation_procedure", "prose": "Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution." }, { - "id": "CIS-5.4.2_audit_procedure", + "id": "CIS-5.4.2_aud", "name": "audit_procedure", "prose": "OpenShift supports a broad ecosystem of security partners many of whom provide integration with enterprise secret vaults.\n\nReview your secrets management implementation." }, { - "id": "CIS-5.4.2_CIS_Controls", + "id": "CIS-5.4.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;" } @@ -11255,7 +11255,7 @@ ], "links": [ { - "href": "#3bbb424e-c219-459e-95e5-0ddc1060db7c", + "href": "#27d3deca-2b7d-4f56-9076-5f9bfd37d4fc", "rel": "reference" } ], @@ -11266,27 +11266,27 @@ "prose": "Configure Image Provenance for your deployment." }, { - "id": "CIS-5.5.1_rationale_statement", + "id": "CIS-5.5.1_rat", "name": "rationale_statement", "prose": "Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster.\n\nYou can control which images can be imported, tagged, and run in a cluster using the image controller. For additional information on the image controller, see [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html)" }, { - "id": "CIS-5.5.1_impact_statement", + "id": "CIS-5.5.1_imp", "name": "impact_statement", "prose": "You need to regularly maintain your provenance configuration based on container image updates." }, { - "id": "CIS-5.5.1_remediation_procedure", + "id": "CIS-5.5.1_rem", "name": "remediation_procedure", "prose": "Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html" }, { - "id": "CIS-5.5.1_audit_procedure", + "id": "CIS-5.5.1_aud", "name": "audit_procedure", "prose": "Review the image controller parameters in your cluster and verify that image provenance is configured as appropriate." }, { - "id": "CIS-5.5.1_CIS_Controls", + "id": "CIS-5.5.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Deploy System Configuration Management Tools CONTROL:v7 5.4 DESCRIPTION:Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.;" } @@ -11369,7 +11369,7 @@ ], "links": [ { - "href": "#85b3d0bd-5a26-4094-b401-20276530da42", + "href": "#857442a9-20c5-4df5-b2f2-b5f949c5d418", "rel": "reference" } ], @@ -11380,27 +11380,27 @@ "prose": "Use namespaces to isolate your Kubernetes objects." }, { - "id": "CIS-5.7.1_rationale_statement", + "id": "CIS-5.7.1_rat", "name": "rationale_statement", "prose": "Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called `default`. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users." }, { - "id": "CIS-5.7.1_impact_statement", + "id": "CIS-5.7.1_imp", "name": "impact_statement", "prose": "You need to switch between namespaces for administration." }, { - "id": "CIS-5.7.1_remediation_procedure", + "id": "CIS-5.7.1_rem", "name": "remediation_procedure", "prose": "Follow the documentation and create namespaces for objects in your deployment as you need them." }, { - "id": "CIS-5.7.1_audit_procedure", + "id": "CIS-5.7.1_aud", "name": "audit_procedure", "prose": "OpenShift Projects wrap Kubernetes namespaces and are used by default in OpenShift 4. \n\nRun the following command and review the namespaces created in the cluster.\n\n```\noc get namespaces\n```\n\nEnsure that these namespaces are the ones you need and are adequately administered as per your requirements." }, { - "id": "CIS-5.7.1_CIS_Controls", + "id": "CIS-5.7.1_ctl", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.;" } @@ -11463,7 +11463,7 @@ ], "links": [ { - "href": "#58a34685-46ae-4842-8a99-f49445402b36", + "href": "#684b6ec6-91ef-431f-bf05-19c5ba144746", "rel": "reference" } ], @@ -11474,27 +11474,27 @@ "prose": "Enable `default` seccomp profile in your pod definitions." }, { - "id": "CIS-5.7.2_rationale_statement", + "id": "CIS-5.7.2_rat", "name": "rationale_statement", "prose": "Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container." }, { - "id": "CIS-5.7.2_impact_statement", + "id": "CIS-5.7.2_imp", "name": "impact_statement", "prose": "If the `default` seccomp profile is too restrictive for you, you will need to create and manage your own seccomp profiles." }, { - "id": "CIS-5.7.2_remediation_procedure", + "id": "CIS-5.7.2_rem", "name": "remediation_procedure", "prose": "To enable the `default` seccomp profile, use the reserved value `/runtime/default` that will make sure that the pod uses the default policy available on the host." }, { - "id": "CIS-5.7.2_audit_procedure", + "id": "CIS-5.7.2_aud", "name": "audit_procedure", "prose": "In OpenShift 4, CRI-O is the supported runtime. CRI-O runs unconfined by default in order to meet CRI conformance criteria. \n\nOn RHEL CoreOS, the default seccomp policy is associated with CRI-O and stored in `/etc/crio/seccomp.json`. The default profile is applied when the user asks for the runtime/default profile via annotation to the pod and when the associated SCC allows use of the specified seccomp profile. \n\nConfiguration of allowable seccomp profiles is managed through OpenShift Security Context Constraints." }, { - "id": "CIS-5.7.2_CIS_Controls", + "id": "CIS-5.7.2_ctl", "name": "CIS_Controls", "prose": "TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -11557,7 +11557,7 @@ ], "links": [ { - "href": "#5aa56099-0a8b-4495-8824-4ac8a6ddc6f6", + "href": "#3642ea59-a333-48b5-a365-3749ad5ffe0a", "rel": "reference" } ], @@ -11568,27 +11568,27 @@ "prose": "Apply Security Context to Your Pods and Containers" }, { - "id": "CIS-5.7.3_rationale_statement", + "id": "CIS-5.7.3_rat", "name": "rationale_statement", "prose": "A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context." }, { - "id": "CIS-5.7.3_impact_statement", + "id": "CIS-5.7.3_imp", "name": "impact_statement", "prose": "If you incorrectly apply security contexts, you may have trouble running the pods." }, { - "id": "CIS-5.7.3_remediation_procedure", + "id": "CIS-5.7.3_rem", "name": "remediation_procedure", "prose": "Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers." }, { - "id": "CIS-5.7.3_audit_procedure", + "id": "CIS-5.7.3_aud", "name": "audit_procedure", "prose": "Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate.\n\nOpenShift's Security Context Constraint feature is on by default in OpenShift 4 and applied to all pods deployed. SCC selection is determined by a combination of the values in the securityContext and the rolebindings for the account deploying the pod." }, { - "id": "CIS-5.7.3_CIS_Controls", + "id": "CIS-5.7.3_ctl", "name": "CIS_Controls", "prose": "TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies CONTROL:v7 8.3 DESCRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.;" } @@ -11656,27 +11656,27 @@ "prose": "Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult." }, { - "id": "CIS-5.7.4_rationale_statement", + "id": "CIS-5.7.4_rat", "name": "rationale_statement", "prose": "Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources." }, { - "id": "CIS-5.7.4_impact_statement", + "id": "CIS-5.7.4_imp", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-5.7.4_remediation_procedure", + "id": "CIS-5.7.4_rem", "name": "remediation_procedure", "prose": "Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace." }, { - "id": "CIS-5.7.4_audit_procedure", + "id": "CIS-5.7.4_aud", "name": "audit_procedure", "prose": "In OpenShift, projects (namespaces) are used to group and isolate related objects. When a request is made to create a new project using the web console or oc new-project command, an endpoint in OpenShift Container Platform is used to provision the project according to a template, which can be customized. \n\nThe cluster administrator can allow and configure how developers and service accounts can create, or self-provision, their own projects. Regular users do not have access to the default project. \n\nProjects starting with openshift- and kube- host cluster components that run as Pods and other infrastructure components. As such, OpenShift does not allow you to create Projects starting with openshift- or kube- using the oc new-project command.\n\nFor more information, see \n[Working with projects](https://docs.openshift.com/container-platform/4.4/applications/projects/working-with-projects.html) and \n[Configuring project creation](https://docs.openshift.com/containerplatform/4.4/applications/projects/configuring-project-creation.html)\n\nRun this command to list objects in default namespace\n\n```\noc project default\noc get all \n```\n\nThe only entries there should be system managed resources such as the `kubernetes` and `openshift` service" }, { - "id": "CIS-5.7.4_CIS_Controls", + "id": "CIS-5.7.4_ctl", "name": "CIS_Controls", "prose": "TITLE:Configure Trusted DNS Servers on Enterprise Assets CONTROL:v8 4.9 DESCRIPTION:Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. ;TITLE:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers CONTROL:v7 5 DESCRIPTION:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers;" } @@ -11690,467 +11690,467 @@ "back-matter": { "resources": [ { - "uuid": "4fa8c2d3-6b4c-428a-a0bb-5e25f4bed301", + "uuid": "8bb677a7-7b91-4f77-b721-85c544770893", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "a17d309e-222a-44a5-b2df-e0239742208d", + "uuid": "b4771c7c-b878-40ac-9e05-21476d348568", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "f7f556ab-234b-4a8a-a2ca-fec600e826de", + "uuid": "b06b95e2-d73e-4e4d-a334-ae863bdd80d2", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "005c3423-193e-4db8-9ea4-a4535d6615dd", + "uuid": "4d949458-3dce-4886-bcae-e8927b7f6b5b", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "17caf35a-2d76-4359-8ff9-dc3b12f2a874", + "uuid": "b926b009-736f-4256-aba4-f00d92a4250f", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" }, { - "uuid": "ba265dc2-094e-48d5-a15a-8b982fb6d579", + "uuid": "c0701093-fab7-42c3-920c-93a01dcfeb2d", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" }, { - "uuid": "a66fe000-f5f1-4fe8-b67f-f2260dd22875", + "uuid": "822f1e30-a21f-4cff-9c9d-5065b8f675b7", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "d14ae650-3329-416b-9a3b-bea168fe3742", + "uuid": "e45552c2-8d5b-4d42-823f-0ddfed828273", "description": "https://coreos.com/etcd:https://kubernetes.io/docs/admin/etcd/:https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane" }, { - "uuid": "5864249f-943b-4f1c-9a21-2a0a42e92dea", + "uuid": "ccaed7c9-7ce1-412a-aae5-cb53e37cc0c8", "description": "https://docs.openshift.com/container-platform/4.3/networking/cluster-network-operator.html:https://kubernetes.io/docs/concepts/cluster-administration/networking/" }, { - "uuid": "b679d699-ad77-45c7-9ed4-454a836b1031", + "uuid": "8d4d808e-99b0-4181-815f-2a7b03e311f7", "description": "https://docs.openshift.com/container-platform/4.3/networking/cluster-network-operator.html:https://kubernetes.io/docs/concepts/cluster-administration/networking/" }, { - "uuid": "1436e335-5bdc-4339-aa7e-ded1e56b015c", + "uuid": "57b03bf4-abef-4ffb-a8d5-83dd1e32a84f", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://etcd.io/#data-dir:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "28d31254-ad8d-47c5-a102-594b3db49a4c", + "uuid": "4ed24380-ff84-471a-b732-d190144e9be3", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://etcd.io/#data-dir:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "5872a0ff-2aea-4191-a31b-d914bdc46ca5", + "uuid": "ccba75f5-d463-4f61-ab24-1dfce255d5b1", "description": "https://docs.openshift.com/container-platform/4.5/cli_reference/openshift_cli/administrator-cli-commands.html:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/" }, { - "uuid": "4213a185-9ecd-4449-bc5b-69e70d993a1e", + "uuid": "bf6f8fc1-5d6e-446f-b940-9c57455bf385", "description": "https://docs.openshift.com/container-platform/4.5/cli_reference/openshift_cli/administrator-cli-commands.html:https://kubernetes.io/docs/reference/setup-tools/kubeadm/" }, { - "uuid": "57aa304b-00fa-4232-9256-0fd8759f895b", + "uuid": "d83510f0-b3e0-44c8-b5ce-afc0e3e9e354", "description": "https://docs.openshift.com/container-platform/4.4/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/" }, { - "uuid": "b85602ea-e0f6-4269-b0cd-127ca71aad50", + "uuid": "9a47b7f3-e65f-4360-9f45-19abd0dba25e", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/" }, { - "uuid": "fe348e22-27d2-4571-b80d-8c70585a573b", + "uuid": "9d1e9d7b-0070-4ea3-b936-834b27599247", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "7d91ba62-6f3b-4d8e-8fc0-ff364ee9698f", + "uuid": "39961bf3-de5a-4a00-8f57-992bbd76603d", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "dae88d42-4bb1-40c1-922b-b85f28d0e6a5", + "uuid": "ad2c2f55-a868-4b54-89a3-91c6e696d0a1", "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "815280f3-e7fc-476b-a501-d0634af3a099", + "uuid": "4e53b8bd-7316-4f14-b5c9-168e07180cdb", "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "12f8aefa-7fd0-459f-9adb-8728606d9264", + "uuid": "932cfadc-2331-45f9-af63-1a7a3f70bbd6", "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "b9d562c5-133b-4668-9fc7-4a7282729362", + "uuid": "5e30ec9b-cd6f-425d-a5f2-bc82a9e0625c", "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests" }, { - "uuid": "c21de945-e1d8-46eb-a6f0-4b2d39647126", + "uuid": "5cb2cbe2-e79d-4337-838a-b2e201c9e20b", "description": "https://docs.openshift.com/container-platform/4.5/authentication/configuring-internal-oauth.html:https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-password-file" }, { - "uuid": "c8cac56e-c95a-492c-b4b4-96029b3d386d", + "uuid": "02c37c6e-28ff-43aa-8f5c-c45a685d2e7f", "description": "https://docs.openshift.com/container-platform/4.5/authentication/configuring-internal-oauth.html:https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "211f6ba7-c1d1-4752-8760-fd0275037356", + "uuid": "47a40e2f-7b0b-422c-99ae-9e609728aebf", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L12-L13:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L94-L98:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/" }, { - "uuid": "02acf696-664a-4db1-806b-9e3bf6fefc09", + "uuid": "1f36f919-5055-47bb-8de3-dc71e2e920bd", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L12-L13:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L94-L98:https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/:https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/" }, { - "uuid": "962e3009-5d45-4476-aeca-aaefc49f6924", + "uuid": "0f84e4ba-df36-47fc-aa37-b4e7ecc36aa4", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/:https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/" }, { - "uuid": "251c9643-b352-41d2-9f01-2dfe57309378", + "uuid": "f5983ad8-2026-4303-9929-fd5be7aa4599", "description": "https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authorization/" }, { - "uuid": "bb7b5742-5b2c-430a-9b6a-4f1858595232", + "uuid": "36c3249c-2810-486c-9493-2880915d8ffa", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/node/:https://github.com/kubernetes/kubernetes/pull/46076:https://acotten.com/post/kube17-security" }, { - "uuid": "1116a809-988c-4842-999b-ccef601d5394", + "uuid": "ed50c1b1-4f14-4fbe-b68b-ee2c54a93f4e", "description": "https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/bootkube/manifests/cluster-role-binding-kube-apiserver.yaml:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L17-L21:https://kubernetes.io/docs/reference/access-authn-authz/rbac/" }, { - "uuid": "1606121c-52d7-4151-a8c1-16ee0f008c11", + "uuid": "42bec8ac-cdd0-4233-80a2-ef17015e1ba7", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/flow-control/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit:https://github.com/staebler/community/blob/9873b632f4d99b5d99c38c9b15fe2f8b93d0a746/contributors/design-proposals/admission_control_event_rate_limit.md" }, { - "uuid": "0528b166-2830-4e29-aa47-363dd53f4cfd", + "uuid": "95b30083-4285-4876-9512-ae40f86d1b51", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwaysadmit" }, { - "uuid": "84035c9f-01d8-4568-8ae9-19adb99a17fe", + "uuid": "a887fb95-3c62-425e-9d95-5aa07b2ceb5b", "description": "https://docs.openshift.com/container-platform/4.5/openshift_images/managing_images/image-pull-policy.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages" }, { - "uuid": "feffeefb-16ba-429b-b4ca-21388319d682", + "uuid": "a4e867b6-1c5d-417d-87ce-032d23b56f57", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#working-with-rbac" }, { - "uuid": "a6f2be73-fce4-478b-b7ff-771175f4ecde", + "uuid": "62aea79a-19eb-4d4d-9bd4-9a24a1a81a20", "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-and-creating-service-accounts.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount:https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" }, { - "uuid": "792c0621-103b-4a4e-8dee-856b89f1a52a", + "uuid": "88334bd3-8089-4e30-b23e-a60f88658b55", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle" }, { - "uuid": "6efeb241-5cbd-4dc4-b441-4db43b3a9de9", + "uuid": "40b48607-ac72-42b9-b1e0-26413fa42b6a", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" }, { - "uuid": "d4167fac-5246-48e7-8c49-3fe03e105295", + "uuid": "4a79e285-c9a5-43af-92aa-d1d42fcd5cad", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/origin/blob/release-4.5/vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane/manifests.go#L132" }, { - "uuid": "2a3c4201-8b18-42b0-8738-c147909ad9b7", + "uuid": "3894da9e-f7ce-46ff-901d-fca892803b75", "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L104-L105:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "e4203371-598c-4b79-8842-5db913aa22fd", + "uuid": "a1410fbd-16a2-4954-a5a4-47c2335c4dd4", "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L102-L103:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L103-L105:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L155-L157:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "50031704-586c-410e-98cf-10ef739d70ee", + "uuid": "3c8ca9d7-6549-4c36-9d79-bce7c47ee8ec", "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L102-L103:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L103-L105:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "b8e9bdb5-bccc-4810-bb9d-00abed8280f3", + "uuid": "a0d90513-5fc1-4744-855d-177454767fa8", "description": "https://github.com/openshift/kubernetes-kubelet/blob/master/config/v1beta1/types.go#L259-L277:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L71-L84:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md" }, { - "uuid": "84a0a831-5582-455f-bba9-2678f9d2907b", + "uuid": "68265dc0-7a7e-49b5-8696-924b77423c85", "description": "https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L22-L31:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" }, { - "uuid": "26f1f625-6f6b-4e4c-895b-e5e906fa60a5", + "uuid": "16def20b-14db-455e-8f3b-f10599d9ee40", "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L41-L77:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" }, { - "uuid": "d60e7953-7bbb-4724-ba06-c8dc1342599d", + "uuid": "5da25480-84cd-4a2b-a526-67265789b9b7", "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L165-168:https://github.com/openshift/cluster-authentication-operator/blob/master/bindata/oauth-apiserver/deploy.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "e0e80c67-b72e-4901-b794-f94d21ad00d3", + "uuid": "21e872c9-f39b-4a09-9aff-1dcaab5b2383", "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" }, { - "uuid": "54376cd1-fb80-4913-b697-e069b70228de", + "uuid": "3143c548-eaff-4fb8-af3f-59787de41ac3", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/pull/51415" }, { - "uuid": "1873c344-2e9a-4725-ba6e-c70b243e52b3", + "uuid": "d51e9220-e3f8-4cae-94c1-f7cf43f37c70", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L145-L146:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/issues/24167:https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use" }, { - "uuid": "b634e77b-e951-46d1-a6f6-4afa24dc444b", + "uuid": "4188e1a2-f0ff-4f1c-bf69-fbbf15b4f486", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/issues/24167" }, { - "uuid": "18aa8ead-f2ab-4af5-a05c-eab73e5b4ac8", + "uuid": "4b6ba567-785d-4f8f-b7bb-3f8c9d8b98d1", "description": "https://docs.openshift.com/container-platform/4.4/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://etcd.io/" }, { - "uuid": "cb03103c-f6ae-42fd-abf3-e8c8513d3580", + "uuid": "028da810-1e51-43a1-ac9f-2e041949c1de", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#user-provided-certificates-for-the-api-server_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide" }, { - "uuid": "befe3b8f-c971-4274-9724-1df35e87491c", + "uuid": "7f3c670d-2513-4acf-a814-6cba66af12b3", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#user-provided-certificates-for-the-api-server_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide" }, { - "uuid": "145df28f-05bb-489e-a5f2-120c097942d7", + "uuid": "3dab0d41-67da-4f36-9137-7e63b621682c", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://etcd.io/" }, { - "uuid": "d02d38ef-2e86-4dcf-a894-b44ddb562b12", + "uuid": "5992b0b7-d2b0-47a3-b819-d13bdde29a68", "description": "https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/:https://acotten.com/post/kube17-security:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/features/issues/92" }, { - "uuid": "9e782cd9-b388-4b72-ba8e-5ae74e2fc06f", + "uuid": "1acc4a3c-6834-4fb0-bae1-d743511159c0", "description": "https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/:https://acotten.com/post/kube17-security:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/features/issues/92:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers" }, { - "uuid": "22b065f6-0a4a-4564-86a1-e6a050ebbcca", + "uuid": "e75501a2-c5f6-42b0-8c4c-56220a7d5321", "description": "https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress:https://docs.openshift.com/container-platform/4.5/rest_api/config_apis/apiserver-config-openshift-io-v1.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites" }, { - "uuid": "e3a167bb-1cbd-4137-b983-f58504c4e56a", + "uuid": "614f36e5-a5e7-4fd1-b212-97d46635ab05", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/kubernetes/issues/28484" }, { - "uuid": "66d532eb-5316-4b56-9a65-2cb7a0905f7e", + "uuid": "a0cd76ba-5b3b-4ede-8ad4-82ef0e89da65", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/manifests/00_openshift-kube-controller-manager-ns.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scalability/profiling.md" }, { - "uuid": "3505a93f-6a2a-47c9-b131-a82dff05e6bb", + "uuid": "9a07f228-1b6b-4d05-993e-b5dff8aa4d04", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/ds.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/sa.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/separate-sa-role.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/separate-sa-rolebinding.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/:https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml:https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#controller-roles" }, { - "uuid": "f9793b52-6b7b-4e7b-aae7-e19bbbc5fba4", + "uuid": "521c91ea-b8cd-4ba1-be26-99997ff62041", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#service-ca-certificates_ocp-certificates:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "619a4bf8-1ef8-440e-8b2f-b8eae6ff3e56", + "uuid": "3d3a74dc-9186-4da4-b7d9-54a31fdc4ee4", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#service-ca-certificates_ocp-certificates:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/kubernetes/issues/11000" }, { - "uuid": "6023ef46-fe27-4793-93b7-ce98ced8c51f", + "uuid": "bb301df3-f9dc-47db-bb2a-43cfac62bbd0", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://github.com/kubernetes/kubernetes/blob/release-1.11/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval-controller:https://github.com/kubernetes/features/issues/267:https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "6ebf3416-fb70-4668-877f-7b32f2b95156", + "uuid": "309dfb4c-b87f-4648-a2a4-52ecf44d4a80", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "cbb79ba5-171a-4d74-b1c0-8320a2768d32", + "uuid": "47a3fd6b-b95a-434d-915d-71b5afe6540b", "description": "https://github.com/openshift/cluster-kube-scheduler-operator:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/svc.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml#L32-L37:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/:https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md" }, { - "uuid": "2ff045aa-73f4-4a43-847e-2800c9103fc5", + "uuid": "fe18577a-9838-40ad-8ea7-ca45972c4436", "description": "https://github.com/openshift/cluster-kube-scheduler-operator:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/svc.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml#L32-L37:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" }, { - "uuid": "2f934076-115e-4a0e-a143-32b8ef9b6ac9", + "uuid": "f5a5f692-9d11-4c31-a48a-eefeba268475", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "04d99409-c5ca-4dca-b891-b54d04ea091c", + "uuid": "832774b2-5950-4e10-83d9-0f216679461e", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#client-cert-auth" }, { - "uuid": "99e79ffc-d5d4-4ad9-91c9-0115bfc0f6a2", + "uuid": "a466cb1e-8796-4f5a-b1ac-989f33a2c7d9", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#auto-tls" }, { - "uuid": "c480cf85-174b-4355-b88d-00671113c7a1", + "uuid": "af06202d-d39b-42b8-b4a7-930dea06a830", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "04062f96-b445-49e4-b38d-4951b110f77b", + "uuid": "74fd0641-3cae-435f-9e7d-ce6dcbe02b8f", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#peer-client-cert-auth" }, { - "uuid": "634f886c-c6f9-4d79-98fe-a68ec9ce12db", + "uuid": "4c66ba57-c10e-4697-a964-b046788fa4af", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://etcd.io/#peer-auto-tls:https://etcd.io/#peer-auto-tls" }, { - "uuid": "2363ce8b-2795-4ad8-b608-b705247cb6ab", + "uuid": "c88b42c3-268d-480d-be52-66741e503329", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/" }, { - "uuid": "8ebb9358-103a-43af-b4c2-e186afa69e70", + "uuid": "01409ae6-b0ad-475f-bfa7-2ee62ec12645", "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html:https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html#authorization-overview_using-rbac:https://docs.openshift.com/container-platform/4.5/authentication/remove-kubeadmin.html" }, { - "uuid": "c2f5eee5-88b7-438f-9493-c5746ff68ce2", + "uuid": "ab0d220b-f42a-43e2-8a48-2956d0bd259b", "description": "https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L17-L31:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/" }, { - "uuid": "86318b47-61fc-4f0e-ac04-fed8c9da28bd", + "uuid": "40c249f0-75cc-4bc0-a918-0bd941c7f119", "description": "https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-audit-config.html:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-pods-audit-log-basic_nodes-nodes-audit-log:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L47-L77:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://github.com/k8scop/k8s-security-dashboard/blob/master/configs/kubernetes/adv-audit.yaml:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy:https://github.com/falcosecurity/falco/blob/master/examples/k8s_audit_config/audit-policy.yaml:https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L735" }, { - "uuid": "5523abbc-69be-44aa-b8f0-0d7765282334", + "uuid": "f9696bf0-c0b0-4185-bfb7-1e0ac9c8bbc2", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#44-joining-your-nodes:https://kubernetes.io/docs/reference/setup-tools/kubeadm/#kubelet-drop-in" }, { - "uuid": "5ee947fa-4977-45ef-9514-b79a9a6f8f3b", + "uuid": "bcea46e5-4512-402a-adb9-e634398e12c7", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#44-joining-your-nodes:https://kubernetes.io/docs/reference/setup-tools/kubeadm/#kubelet-drop-in" }, { - "uuid": "5c7d8368-40e9-4cca-9c90-c8a1505f9eb8", + "uuid": "3dd2d4d7-e7ef-48e3-af9e-65c0f98ce54e", "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/configuring-kube-proxy.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/" }, { - "uuid": "201ef3a5-b95c-4b95-9ca6-041cc45753f3", + "uuid": "5adc197e-0e49-4fb7-8515-f27bb0678df1", "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/configuring-kube-proxy.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/" }, { - "uuid": "2679f20e-d437-4fbd-94d3-9300deb20362", + "uuid": "70faa058-f2af-4134-8837-af3f5f9feef3", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "efb94d9e-c91c-4b0b-8201-aa94f6c582b2", + "uuid": "fb86cf83-bb72-4429-bd81-49a8cf5ff14e", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "119a992c-26bc-44e0-819f-c53616338a13", + "uuid": "9ded8000-d42b-4a39-af87-bc6e28a796f3", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs" }, { - "uuid": "472cc874-97ff-4a4c-81bd-a3b565232455", + "uuid": "19499b83-fe98-4a2e-8493-c7210a52de61", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs" }, { - "uuid": "cec3a4bf-70ae-4eeb-b412-a52803f2e0d6", + "uuid": "51257190-348d-45c4-995f-213482f31bda", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" }, { - "uuid": "daac5ddf-fd89-4f90-acbe-3eaa4706cfb4", + "uuid": "d50db4b8-bea1-4e87-b70c-2cefd530c90a", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" }, { - "uuid": "edffbd8c-2ca8-456c-8ff8-759a7e369a87", + "uuid": "4156bdf5-c46c-4799-a01c-c495a846073f", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication" }, { - "uuid": "97c4e51f-69c2-48d6-8f3c-4820ce812ae7", + "uuid": "5e1c910a-8d1d-410e-8d7f-1d072a024fa0", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication" }, { - "uuid": "b0a79284-59f4-4b12-a7a4-b7fd73d32e36", + "uuid": "c408887a-6ee5-4cc9-b911-aa10de086da4", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L28-L29:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/" }, { - "uuid": "aad9d053-7481-4ef1-a443-dc6fe0aa3909", + "uuid": "0a57128d-4803-49f8-b086-2969ee569eb4", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L28-L29:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L114-L115:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "25b0a20a-b36a-41b7-bd96-6fd4a7dfd325", + "uuid": "1eece71c-cc88-463f-9a39-465f737b31c5", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/pull/18552" }, { - "uuid": "fcb2eff5-95e4-4f94-b1c0-7fd3d06d829a", + "uuid": "77ca7af9-cafc-406a-b735-b82415471bce", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L618-L626:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "576ebaa9-bb17-44ce-98cd-021442090ba2", + "uuid": "b2679e66-bd6f-4791-9b35-0b85d81e5139", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L618-L626:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "df258d02-632c-46ba-b131-938998ac806f", + "uuid": "71a16eb1-f934-4738-8b8d-4ad9bcdf285b", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/issues/22063" }, { - "uuid": "1895214f-40e8-4615-b019-61940dfa98cd", + "uuid": "b8ec980b-ad39-4593-81a2-3998c02a849f", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go" }, { - "uuid": "f1854ab5-825d-4054-9a85-32e73db22296", + "uuid": "6686bf97-28d3-4b99-9e19-640474302bb1", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide:https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/" }, { - "uuid": "ca0ebe3e-495e-4753-80a1-a9b809fe8fd1", + "uuid": "2a5a9ff4-65f6-4eea-bfbd-56cb3a734454", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L172-L181:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://github.com/kubernetes/kubernetes/pull/41912:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration:https://kubernetes.io/docs/imported/release/notes/:https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/" }, { - "uuid": "7fb3efc3-eb24-45a0-a08f-d321b903cd0d", + "uuid": "25e569d4-5013-4c28-8ac4-b42c658e5130", "description": "https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration" }, { - "uuid": "bcc08c26-c8b2-4455-85b6-e329fcd34a19", + "uuid": "a7a6baf7-d860-4e6d-8678-968ffdee1e01", "description": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles" }, { - "uuid": "7529501b-33d5-4e34-9865-699bb66c1d07", + "uuid": "40ef7715-d34e-4299-b724-8db221ee316a", "description": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" }, { - "uuid": "a27b3a4a-2bad-49d8-af3f-78a1df9ae814", + "uuid": "734acfa7-8bcf-41c6-a204-39f69a614757", "description": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" }, { - "uuid": "343e2a40-49b5-4238-b2de-39c5a421c84b", + "uuid": "a948d084-d975-48df-ae1d-7515cf8655ed", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" }, { - "uuid": "c6b36abb-ad36-4ca8-a53e-4d56cf82ef34", + "uuid": "bdebcb0c-998e-4c8a-8286-4f8444ceb5eb", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "2b29a9f1-2454-4959-ad8b-3bb2f0ed9c98", + "uuid": "d9172411-f615-4e9f-a4dc-808a5ee0d534", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "3135b679-9654-4b06-ad69-c68486cd9029", + "uuid": "1ad797e3-a3d5-40e1-8505-614c699bcb43", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "2b50adfc-1a99-4408-bc25-65a9be712705", + "uuid": "4e1d8c4f-1146-40cc-b369-427d9d159ad1", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "02bd932b-86f2-40ea-b393-127c921dbb1b", + "uuid": "d871d223-f64d-413a-a7ed-d8e32d56c318", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "bc77b6a9-1889-46db-b22f-75a7dc0ead87", + "uuid": "6f9b020d-b90e-4e4f-9581-a656e1a80216", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" }, { - "uuid": "07a1f737-1346-490e-be2b-542bcb5153c3", + "uuid": "3fd49788-15e2-4948-9efe-6476e43153f9", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.com/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" }, { - "uuid": "9abe2b7a-f6a4-4f9a-9e11-bcfe5036f2ac", + "uuid": "5883459b-fe6c-4243-a28c-74542f102e6b", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.com/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" }, { - "uuid": "de4f7379-b991-4a36-986c-775f51d15ce7", + "uuid": "8a214a7c-1583-4195-bea0-27a40ff87310", "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift-sdn/about-openshift-sdn.html:https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/" }, { - "uuid": "3956167d-c231-4fdf-9b5d-8f4523d33d96", + "uuid": "f31c52ec-13fd-43f0-894e-ea44f1d89192", "description": "https://docs.openshift.com/container-platform/4.5/networking/network_policy/about-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/creating-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/multitenant-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/default-network-policy.html:https://kubernetes.io/docs/concepts/services-networking/network-policies/:https://octetz.com/docs/2019/2019-04-22-netpol-api-k8s/:https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/" }, { - "uuid": "8d22ae4e-39b2-4a2d-b875-f3f7c340b70a", + "uuid": "22c05cd2-11a1-4406-aad3-c2fe508895bc", "description": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets" }, { - "uuid": "3bbb424e-c219-459e-95e5-0ddc1060db7c", + "uuid": "27d3deca-2b7d-4f56-9076-5f9bfd37d4fc", "description": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook:https://github.com/kubernetes/community/blob/master/contributors/design-proposals/image-provenance.md:https://hub.docker.com/r/dnurmi/anchore-toolbox/:https://github.com/kubernetes/kubernetes/issues/22888" }, { - "uuid": "85b3d0bd-5a26-4094-b401-20276530da42", + "uuid": "857442a9-20c5-4df5-b2f2-b5f949c5d418", "description": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/:https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/" }, { - "uuid": "58a34685-46ae-4842-8a99-f49445402b36", + "uuid": "684b6ec6-91ef-431f-bf05-19c5ba144746", "description": "https://docs.openshift.com/container-platform/4.2/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth:https://github.com/kubernetes/kubernetes/issues/39845:https://github.com/kubernetes/kubernetes/pull/21790:https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md#examples:https://docs.docker.com/engine/security/seccomp/" }, { - "uuid": "5aa56099-0a8b-4495-8824-4ac8a6ddc6f6", + "uuid": "3642ea59-a333-48b5-a365-3749ad5ffe0a", "description": "https://kubernetes.io/docs/concepts/policy/security-context/:https://learn.cisecurity.org/benchmarks" } ] diff --git a/data/CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx b/data/CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..0c5b8e67bb8c4843f7b8cc6fb94616391bf621e9 GIT binary patch literal 120094 zcmeFZgR`fZe&SrbiCd)%U5o>#oz&16G2A#|I&TkU=024M<)>a?l9|1gb&=f$%`cu=-Mt z4z3msu0~p(A1qu9I6m6jQGbPpWzGe`0^|SR1e z2$Z23A}qOpTl^@=M!s-HjOxD<;aOa&fel+?XUdS>bZx%5co7z*$K-NS{B1y2aK8#( z*`$Cc>5Ff)(S&!ZF}5tKJ;tUTN`GkZP}I{$C18aOf?bKpFPvQl2e%6wp>wCZ#){exIC@gKGpPT+4f72M_jDN8Wkk9~o#!P^b)LRET{bx1TR3)ohFA91;i> z^;1hh)=|1Dc>QCZ*tjnO!24_!y6nkwAC6DrdipmeM7ib9{nT&7W0%uEyvsr98%h7L z_=G2yD*~dd?4ufIuH6wg)v@W&^iNfH&2eE6>AzlO5mLiE(ex%l+8XTF4@<71#LVep zl*~MuO2EF!H75INZ}QzO-}SZE!PsUy{M`D;#0324~WGqUnKpy(+rP zrZ*KZ(~_Ep<)Kv#g1LK1qnZ9QsfADsv2Y>fgNby4eizgCa}_@Qb~Kl_q;E8>gsiJf zvz=ejdK#JAb(~9Qw&Okeu&aLQ*P!LYz2O;^>to2h^w;~&cRG~i`BM<3yR83YASjBe zco`^K|8tUv>I8UU1D_nhgFvJpWSEb3od4vBhoiHtsiULqpMv)9oPhzV8Zh?%?#GYh zC7VxN*dfPgzDNVUG0kG^78}dSUCZ?gNXV~9byetjA5Ra3k;@5EFJyn9D2IMI-$EZ) zyP2*VNBU^@xE|`sOVOm7U56oI!-0jI*G*VE8xL-rOdQ&Y* z=OSkYItF{3d!+d{sjIm`U2~c=SBo@0_*x^}&>NOczR%Uk8>Hs5<>dVw`2Fq{X@^+R zUmi7X1%WX5pW`X5=&>Oc4g{J6)Djjj0*I&o8cF$Y4II~B;`Ax`6`)7!CDu( z^7%*y7Y={z8tWUR57kjw|8|I9I{t9oib>CIUuP;@>}Gm@cjNcPWo_^L_2?L#wqCz! z02HA!oTyq^x|(8@YN#KDYa)~YWyrh}=_bPV;r4D+tioMG^jm?CI0(E8qZ-2^H8brr z=u*gOK7ckmC!fL#r&;IbR`OEGb+BoGw?RsNbR?bm1cpXy$GCq)_NNcq2J23UPyll_ zH{8*_R&uk%(1y#Zb0KBvM1+MQ>`y)OE|KY6;w`6_ON1KLZiptwC2?1%PhKZ#DCk++ zjI&-YZ#YaD>K4<`0^G4w+aq#tKTjm#AFOPziqMa~c~GAvtv4)LMrz%w(`kLrrRYZ% z16yZP@hScX*4Nu|M+zU`Ivf%sisC38UBCBDGXo|BV| z?RJF)Q9JKlec%}0Rmm|kk1-1E`Jxh_9r@qU<+w7vcJkre75?+RR*n2Ot?vyRca6>0b8S{*}_$Ord_YMFH6l@Nmub4dyyPz zZ(h2;Jni*eQ(bcHEWeA0)MFOxsFQTDId)I8-&Ca z_U6nB1%%)T^N^9K^4c`D=k4i9G2RCSg&kbFF`3~!)*;y{lXKXnRd1I(l}C6C)Z(9G zSfTmeb51{y`*+5b*3rX6M^F3IXO1UNt=8pIL$B_+7Z-#DsO-E0^>em|wZ@3-l!|vC z6nPsqEsa8KR$QwkmB)*NM$=@dGbUb{c z{PwLIq^7j_OzXVm`EI5tuF_9mOjJz7&(CGzcKc#;`tJO`4+|^D-_ONa`|+gVJV|?$ z^EyXt(ckCcho8$?-`(wId)xEM^M1<;RnF7x!;shG87uK?v38-`t*x!0hDsx`_GgPn z=+kXxALst)Y5T*)%?0#{;pr5*Gc#(G{rj4#KIFBp&yuJp#g8Y~=abvb7u^kNLgaB` zj~6F?zNa@&Giv*zoJI=Szp0LmzCMn&i}-jhSNnS9NL@pppgHY+w+r`uYDPipePMA} zoc?wSYKFdE&xaQ~qj752Vt&y(PufNP&rj3s+3U~Er_Zeh{0oiK7tpoG$&K?3HO>|I z^ZiQut3Ik$%GNf2Bi`Hd_v5a2l{vrLMeY1LLQC&wGNy#enwl|mk2w=DY-&_IM1Ak~ zyTb&Tp06)P{U6z%YHM#BCfl>F1fJ`!E1x~i9zCci*NK)zrpt;h)f`oymT#}9viz<$ zFRxeZ<;M0*9`DbW{r&4m;>BLSesVb%Q_lN3xq9RL?D@DCcc%34jk{6JuvNq_z1-i6 zq*BZez4znK`)f|D_HrT^ZDtwO8Q`MWF>(J@A>(TwwjXr-7pO3c;dPIZwRZq~TnK(|BlZVW6!|U%e z(Cq1Fv(uY<^T(5O&P=4pUH1py`?a{J%kz6|X^|_zh1XusH{7hz{{ELx6S@Q9(d%a~ z7u>jq`L=c^AmfF%*w0O6)UQ@o zw76zPCC-r-^Jk2xeDBHLEw(TEKQB#g99K%d8%G*F-RRMpzO5(2s)u$N8dxut$ldY1 zdM|Z$jWLv&WaXah7fW-saJ_VF_)I8vaW97BNHH!f9ZfMVbcl{AL4>(SMax0q$*;cdJ z;N22zS6CWD+DF<5!cD;t*Ai5`#~kb*6&>f%#CT`Dst3o5v1qmW7S08Ojjw7-91^Gj zmx6f2S2d6JW0?x|^t_G>Ux3X~)s)?uQ8(e&0!2P0>K{`$GYsOc%*=@ z75rS29WjUw{9H2~l5k2G_@vDIVCz*?xU$xcPAn?1w`gJyp)%W`$2AyQy!Ba{>NeET zkYFz!TSLh=uS5c57=L?!5+dASvD5DgfhUKk)Dw%g0sSHZ3li>K&4D}eb>KT5Q(+v>3XDG%}PXK>IG+vyP32rbX|S0h0bC91^L;) z3WbqwFaak-BIszbfyV7;F*TwPY~EIbqPRn! ziV3RibZ}opNg!canEm8@bSduSL5!_X}RazN6I0W4bifcxbD(8JiZf1n*J z)yZ{YP5o~uQ0o1$oAQ~29A~I^#MZ=mZi4j^M^D#RpMwWOLa!fdpm*s^s=fx70#sU&H%aGI9JtX;d#W}@|9 z{Tvi2*j{GEEM17LWZPTgDq$M`vOuMR3+20*ri;q!m~VdhIsGY7&z#hmat3> z?|be2Qw&W*`QC>Zp&2}wj`+|Y^)8}#AV#CGFMa&*ZqRCwXnHmpsF#1!ttph8cOoya zxk6UzB)^cRBQ10y4MDWTnt4Ri{3MwqEt0DqGu0=megoE+;VvzL%^sCM5H^jdHlmgh19+zwFiD^N0a#t2OR z*2Yw)XIYI>uSXch67WuXIrpQFNk}FFg04*XHHD(JcLR1~z* z8TU(m*j5>U!V0l^EGv4jsP6j&_H%L}((0v#E3(ttBw3?;v75xzDzv`Cv+>Z5p@nr*R$Bd%nOv+; z->vEYh`4v0nLM%lME=o>v4C%sC%CA;hsSXgh&0Khc({sCrJXs!{CIv!WuIu#3iJA~V~3gDv5>s!2Z zN6Uv0-_8~Yb%?^PlNYaTuGuy~DOOQ{eh&~54P{rf&bB~QO9*7)oTiONeDzs%VTv=^L$H?#+ z&MvKaZ9@!o1Nq4bGXaP7`}I?_ODix*?1};0awz)r8@_LYNf|8i1;BVJ3M3^MBqBrT z%K!N7R@TO%8&?hl3k#IGVXg873tapKJQ!j z`BSlgelpJ)SryORhhH|}Jo?;veipjUKuW0w50W$s#KM2(k*l6jHwez%^*oBg;TV&L z{HZyShlgB%%22&~SD7$^J5XFfnqlZC1Gp)X$CE&hold!yDh%)?CGgbRi4FZ89v3$mje6R@nOW#212e2zT3iKw(gwdz4`kut z0=%Y;W*Ok2*wq#lF3b;B4r{NVKiNU5S^lx)V`$&PeCW4OEyJ-VpVT%(GHV0pNpOXj zpVBI2qp$ycc542kMS^YAFq^Ykf_~I6drejU1Z{|nVw4tPQ*FPEm~*3((8qB=z}AB$s3PEV+%# zsrkqA-go9)pGneC@1+=%gvv-^h*w0AU?qUH#=QB4IIYoX`n5{`g+N1p(49)QyLCZiv<46mT^t%F zI+rhe?kvB)d^r0c-0OwqV?h)e+)Uy5g_}E&D_l_k_p`VK8CORmS22(J>?hXA%1JdG zdfXP;_;Q;5{ADi;n@SA<~KlrIiST0ecRrpYP($^W%7L^ z>AFM7-6SBrLiY$j!~{Df16O>j3uL6Tq8wgSRtO(7l`J0rY72QnSsos$@|koBIrvV6 z;`IxGuz5R|lt5ie<9`UcDvWR7C#4$zMMM#W?GGfwx+tUvmq*6iv@~%MX^VB3c>4yP zA5K;p4e!?>gy|o11tu|ZP_ zO++&MXV#wLdv1S~8ktmEMw7Sw`o3{{?JVLCay#VR`3bLade{8EhQ0mg-KJwROz+Bh z36E|UqfYv+wIcNhPm5&yvaCeBLXU{Q*E{dbfyPEPk&Mc;|Ae=A$S2NH@VdGvj(+@l z{`8@NFKkBr)sr6_<%9Tf9yVTaM6tPg6Flomp2f$fpLr!lc<@kPeE0$8ACmFAXBpxd z)4XL8BVBNDwl<0@O*vARZMgrXYR_8mC@txJF0Y!c=G}Eq1bGQ5fIxfmVL1^fQ}9nu zW505F6G6GJj53RPgo7F5zxb+DBORb;q)9u^^yfES@E5D&eXz|Q1?Eqab50{U0p566 z2GIp5+f`!9td_T$)vd{e-S+Qf4S~Mz<-%+zLjkn23StPg-8eD%5ZAjP2Gs2QSh{C4iT8P;P!)U<32=Lsif3a{_woe*_9_6jb7v~!Z7-Z`n=f+`kT=o= zNHgMF8Uykiplm~JvHVZeqK&fgl<(-|u_{pV6;%J3$Lp!z=@%+@Leq}x3g>L)5&sI3 zFuOR*&->N02`+nn!cav0jLlbYp{{B!1%IjEOBF+lBRkp^ZWVfY@dcPh)fj5gqC(62 zS5g$zc^+?h`PTzo;aVKcdbXz=k`!f|1OJ_m+59EDpYh)69Lx^r0d^n1xWa)h`9^J( zm8l7;e%`y+$XdfDI*8lX%#Z+L^f$6OlP!GBH3@74Ph~YHzjrf`>46;8^aAVk*XgdR zT|h0gR$*h)usqQUfbM<%a1`wovh?v_q&@3hkl(LsH~{A1S^#FPj-uaj_Xe;jm8>L9 z@KX+t4=eBzSKDeMuknuwaOX0`u(Ree+kIbynq*2F;CTx2&*2FHSwuSdC8HpH2z?us z>J6TF`5jPY6G8KiOfJR%>t(?>>S~Vn{)C^WVZ9CH1m+M43l#@C*kYRgDOFu*8sF{+uKE&Y zo@(7SK=phjcs!uXDMTO#nM2;$_#Ps$YAed3g6j2+?s4)f9|0`K@~ja-zY9q~04Je3 z?L&E-soFk_@Nz|=4+B2_m2e@%D#g`*lG`%-JAM2R!q;I3f}{5I~TrZ!UrL)zAN5x)asg zXcXpv8;G}lp$=VP5)cr`&2W^}k0q|Aum#vD*>Iqg7YuZ8ppRY|Jc2M_qolP$P&uujqOk z>BK)Grf?LL62(Nv1p0Uf7?y}H9L1Jzw{j1m7L}2T&;B}{Ync`3H(B{%Nw2y|h7jCt z$f~1PLYt=r5cCO@zjF9b$ujG*>N^%2y8QtPxJ%WRRi;L-tX$zX88h(W=7zj#p$s@o zRd5TU#zW*=I2#OCc%C}v4^k%Hb6gRxuDE^Vw<;u z;2TA|zf#gWsYSXYeM1r;L&6o$2LlFYuusYl!_iqM+dE$e4&G(>2*|`2_EO6uZUY33 z`X0mPH}=WB0jn^WE(P6#N^i3)l81<-;ExJ_ga|$zeG_{-8`GCR5xe4_x^WFx?6@LJ z#~2?uGcz;2id*~+@I|a{p+SF&*1L=;-Y}`tp=QR*v_^`D_n}1T9jl%lX3s&dC8DLS znT@yDUoeU%-?82qzc|=8tGqm%y?^g;boX8WG}WL6!NHU7+27xf^FYz!NJ00eS}4DI z9eAK=g$$VdSl`zA8?WDR|C06rgTG@%`TOh-j(W0nH0m>cY0rNNy1uHzR6undiLEc? z)NL#|S|{!pI2>Q`BRBwLg#Hz``;W)OB+H^F7ni~IcBOw0>7L?|N@nwa7J#?_Iv=v^rmP@p(SlcC_(bwP{*WHHCL_v?^=X)Cn zGxf+S*_`bY(q$ajoNW_;P$SgU%de8RP8g*1Ak;mS!$eXL4n6P4QYNN{PeidqSEfi4 zjZjo`3K;Cu2wjWDDr$hk$!~yzG4~HAinzc=l4vd~mKfPYSt_LJZYhved^|@V1{O2E zGZOxd0*hh5sygS9@8%kq`S4~0PLNE388knnwfHn%&&`zp4p+47RmydSnBRDHP-f{dY^_biCFbHEKiVA?geOc*ohLY#RWzr zOKRB&!U06F;Uy%x*fc+atkIG#o>A~IgnFb~Jbr%U53^k?l(5Jc%n40xD-Kj;{(F(+ zVC|T#rpr*o6oN7Dl-a;Hz>n~5A)&SCWjJ8;DjW89sj*)`=sgS88_Q!Bpwi*PMr>CU zbMm*Gkcz+0FnC!e5u@<~=KbCH51=I}GMxAsjXpe)h8C4fB0}JnKw>G|+NCP&tZ6+K z+wh}6frI8KELPRxAUcrc6HR*;LawaMwIOW(=Xi8Sk{6oY(SXl_z!FABuRtt-r8TToh^@`!+exZJ#_6{)8A)Ss?|G@*imH}mwpNMV-y@HWiH96!mu+*-}K zKmZX!g0G2}P#`~qNi2C!zCd#XvZ>`AZ(;iDq~Z!29;yULN&$Ic71n4$*!WLbLV7jv z-R#KauLMQT^G`beMQJCq)F`+{k?mKv@fvF}T4Yl9*dD{?2RuJAXMFz;_{tH6+$kW8 zf55W~)V(#*-JGZ8jat;%{7vf;#l}|iUEU;Nf;L6wh^=NmjvPJFL|FA8b^AlyQ82tj zvm6q(a*=$2w<~B)2R8a}9K}p7A80}};GsAyuQOj&BWp0#BTk>QxJ6JTXuP-#=Yy;5 z?*PYD=}}Zz-T18Npm)M<~ITKlX&hQ$Q%@GkN|?WetVUHNI2- zAnFlhg!n^|czHE>oP4JIKe6DJIm`uQujtPw$lE3BHo$~D?YRjp-`6Q=z(KfJQ<`$EyI?XevUFP>_QrOcOwo8tEgw%CWwBCYn~!&P4& zj=3~9hyK8lMqCQZP^6p#EG=jBo|#YNZ4p#aTfU?Q^1tjESgV>sR-{`ivIOu&&q3N5%tqiTd+g%Y6fU^NAK_q4CQ zyT_2dhr<-sS_;%aWn$38Xp5n`(H_}0e;^-|H;}X@;-6<3*#9Izji_fRk?p@)84#R? zdXgs~_%;`PW@AZO3KWh8I#H(Lj$;3kftLfOR$FLC!Q0k5C9I+x!%S-6I|w-W+Wt87 zaOb2F8T@(x9R!FSYK)^b14uOJk0p71aKK>YNduNZ5QyU=U(ZH1pX%T~RZ)1mE4f&W zc9pIlEvDar&5UVF0PRo-m!ibbom~({wi_WFbm5NrXAAUs1Hr5k#B-x^ELM6@<~#iQ zE3m&OX>Inmh%i49Kx2EQfZN=Hg#Ph#)_L9Ti?i%1&Tn8iKTzY15~s-ns@*#8k81y5 z21HjN5M3%{4Do(Bw~^u;1iPS-w>i_wBc-qvO$9tU)k1s&AqggZmj6NK!BE-9;M_5BUTe`eDN#>I};`|CvH6sY)dMJnajz!#OaLT=&jl+Jru-?wgB> zfdx{ndnCdpaay-b7<0Pi;uV^@ZGXM$5}AtsW8HB-5W4Y^N+$#spDg2dd#2FnC!{Dq zx75{THE$n((rQM%``_n$Y`D8!pG*4(&uzLc2|E5};4Jr90LtqJC=W@sw^iqx^2!2s z{;@ss#I*ptH3wP{-{%6v=}dJt#-J7;`2S%Mn3TCbejY9Y0ljt_X=(6 zbkP>butqKFn%7YYk>ecRgzXqd--d(6n*1CP(pK5C_Jn8P*g>})11DJ3JekDMH9J%K zc$H}Qnur8(0q)XZ_ux2FJi3br##@+#)`s`Ssr-en$7+CbjY`#BsCbT5GP@kp`DcxY zDm$2ayX(W4{75r5*LZATu`)5q6OGpUCmLhfJEmABWF8Z6tqL(bj|q1FCy3u1M*YMm zNYA!g_0ov}xV;3ywBRp|STScUGf4AJD|{5$gg0}ARSMUsbJ@+?T?XhVCQM*@1j+T!Y5>5*U;VkMO*gRzea7{2PcfA zBwM-FRxU9@t**Ha8*zZ#YkS@rpwTX6BOEkts%d-qe>UaQ*`G4zO+t>(Khv)3)dDOe@4OlCu3>D29!GD!3E2T|@PU&@~g+nIYO+ z|3v3809lPC%(Xn#pAkee zj(!viv`z~Gs)TLT+CBm%nw|U4g}ygfsQ=+~HG?c?Qw0Ea#3oqjurZGA1C@aiCh6{F zKcN3o!w2haF`d~h-tB*4#L$ApgP(K9u&F&H{qAL~_jPAx5!$Q}lbV~>+N1NQFCx_K zIxoA``j^i}rc=I#Yn-migoip+bRXai2r)@#SL9(C6A{#*>LlPMw&JxrcPweRR_|9d z@sA1gpj%S7(LzDl%4&f}8!HSOSD2&Ha&8h#HsBK6^MAVp_nWxZzB(_CUNvsM+8$78 zGsF#~NExbPf5W3B3QS~2_A3}$eBBE;UEg#EdYH-*Fc|+k$F2R zdahpfdsTlT<;b$x4=<(1!POGbMpU#=%MBXEq>S*dqwp^Vb8mhijO993UjLGA{xBte zOkgDGTY+ZN$j+mc`GY`h7y9eqk&;7lejCllb_Ri8;V}(>grhi(Z}oTN$l4rR853MB z-}YakF|D8OtZ-aE9#_r^bEH1hnaLyHClwFoO*iiY(Gq<01)fC$>k@CoF$4*~_B`h* zC(uvUsMJOj9cdl};z?H(yAIDmgWoF3)nV|@rzH;Wn{e3KYVzf3r#s88r)gqJayg7B zE?D0Fq>n!{75{3FY#&~6JZJjKNRZ!A0Pc~5O4xl|3#jAvSGb|3- z|Lro^evEL`x8mct$ENCE*1~TuwX>xv=Zkct=Zwhd@OQ(E4cuBea2Qzc1I6E8xeu1l zuw96jV<&3d8OqE`wP-4D;rR&4W_UDU4Ex zAtu4|Z0~mHac4)6Da*0NMEc?EY&)N<#_M_i9QdZrz}?!83O)FF@8WpH|6kv!x!eiQ z@|zUBeQG)6I6XG<#Ef&7moSc>r=q3f(27sGbn`?(5E}eV4Vw^Dd|AV$T*Y*8HI1J+ zozUss^X|?gmAF8z5W_}IVl3EQVi_$o=%V)^h}6Vmv-Mpu91py?D5hJ!1O(Gwt5`}3 zf_Z~88b^NYs=9Dm(tegdLv&(1>gFx`?i9@9%274wvXqO1Iwc{{(zfCp(ky3|>@Y!G z(84DR6~IuxLmIIJ4nuL`vg;eA&q=)3e^TNiUfovAOYWtR6lOS)I~J7~W;h(NeI$G~ z&;lTAc%hwrVFPQpEAP%{wl3LPzcdP{!jXf)wX!N!d;+9BQjonIxz6*_aY3zL)yhSd{LRH2-3Y?}wA46(Re+ z{HMVrL!-rK^1YQPwAPoXmy+gQY0~CZZ2_ERMv?S|kSFWnSs(SXhszM~)14%hsZ!(~9!gj~GDDf&k5O#JRv}r14KoB< z4wV=iu(z-P>n;@o&}9_p49z&EbcPX|-Gc3{8A2efR5+y}l7#k1%0^tQUyAh&S#t2#l1*j5 zD=x8lkJm~eyAvR(F*cNunF)ugP>^nl@aJ6ie8TdF(RVmruiv?;E>w2|({2>BxJPd7 zZYV#fUJa|T(+7b`fUfA#;M?svD?3$;eWtca<&^kz#t;r}gU1>COkEddrY(oyi^Aja z1+@#}IzJODqc9-F33Y~i=3~D2x(Ok|=)sk49g7y2tFALk@=$g0ahAkr$q<)hUaa;^ z@fD4XVqo5|6b{@S>nI6zXZe(){*zK)U_FuOQ70Hw;PKjYNR~PM<@%WTIie)znBdi% z4<~ULB8kVmi#UYH{>?6f3Z<7quq3ACM^mquTh1TJgxOEQck#-*)vb=ym# zy&e;(5d+j#^Lz~Keg~-Y#$$Ah-qw3NHNDdmW-0j4%Y{r8igjPSO zstY6_gbY}9`9mRk6S-g@fc5zBZ6GWAvwIWPEHcJJNg}3jQ)5qQ+DPDhLfTrf9U1dB zGB{RkwBJP$%~~tq=aG+c=Lk%R0{KBuFP@f0=3YpG&N zATrZ$3BePhDjY(j#n>6pT^Bnj_T0i7vPj=BJ$mhaMQM%9&)SinyFI*zJULZiht42( zf&FhNYKK5rBvzd|G<>dG5L>LCvFRW|%1Ecu;I4FGewCyVyRhMMMDF(XF)?{~BlV03(p z9`SMTw*}J3z#5{&z?#!;z5coVfJ#KT5OB?}o>?b+jtOZ-G=pK8*q~E*#5~Rkt(<}b zb-7)cG~%$10zx@-6-nqdh-AxK?^4nXB;5L>GDSRLeaw&ONs8b78UvLkUxFrvkNIaJ zVu(+1m_-kYjP**$*W%S`&4*vTGPY9YtG$8!ApR=N0sBl$k7;He+Q}$;3Tn87Ko2Nw z-ktOmcP*acaXpQqhFt{%V);4=JzmEfRJKg zz(Ob(3JC&23R^Vig?uJ9>O9&&##Cb5B8(dDCTuaJ{pI#;zt+~+^-H1GJm5}lH2!5H zaukdAH*O&GfcWsO+twyzFi7jE$N42mk2$-GB+PJ{)0AxwWt2=69_Ow81hk(UL~^#jpK2 z>64L#+zmhBhV*tYCGWBlB1lG5n68!;k-+7kMpl@rj|Fj`Kw2L7xG_+jm_5U#q-bLK z-h{(tBmRUO(8RXJhntz1*3n>cbsM9Ak_#`xUXq8bQ}YaYgLtr!8iP16OGhUtbK4-> z4Ph_ChoV_*gvsmhKKFC~gdkdm2ct$xN|9Ul@ogp|_6#NC7k8s! z%JofEH#NkKEqh8ooZdvbanHw>1*q3!BfNUqm#x z?m=E)8F*W5L&&g}ysVBOAz`VMtRh-o#b;w#VQ-Nj-H%EQ496}*E*}-8%=$#jTvV>8 zJOZLD-5yD5DuQ6GuG!Y7{gIl#^^~?B}?WWba^+74rUJQP5t5g>E-t<8cf!Y2YVgcwlL+xbw?tJhMRuet%ZYU*0yNq5)U%eBU-Bk(JDPdnm~L?53yy{LFMb;}&M7S=m--+G(JqHK z$uCey;e;}zgpc`mB7oFZE~K4n0WYkuxGeU_NTARNt>ymcm&oFZi@aFh69U*kXaZS9 z2$dhfJcF6sHa<^W6BAZN-M7A_NN$QVwa+lTQQEUwls5VB2*;x3p0uur|r(xdkZLFe!JqIv8CQ_U0@UwURLKhrU`x;pgOAWA5D&ZnQC9J{B;n`}1F|)PSc#;y}DsL?bGPp_%gr;D5RM_M~^WM94W-aW5 z^fCuvZs65%Lh-1|mb=S{$#&q}n zf(e0!9S&}-;v4+FFPEK=EsDy+&mM`LZvCRcZB&|MFEQ(WP(x+VLV;lYQ|}O7O$VYH|PN_LGXe>`h6*R zIe>-hMU(8yiJ{JuX6j4BF@z4hBKWa3uWuA!cuu$RPKSMKOliIf6X7p!#St(WaNs8+ zh6L^2n(v_^{J~7?WR?l3g^aff0IlQ?XxTQOg2+QqX?e7P$(Jy0Yz``Zt&I(NC-KP{ z0cVf^p81}~b+W`8mDX#hywpFYRnuyhL+p)Gu%v|WSgZ(sG6xYVpiCsDxX*kb)b^6h z;i!}?R7*?5q4vz-vE>rT)kW%N|c*Gb!;4>pHzSG8@eh)nzyGbbOqZ?F1 z$?Xj+=%f3bgIlai?k#XLVvI2nRE;R%(e#IO;}gSz{yq22qt2w|C=lx1v{uK@RIebd zsqZe>;~ICRZb??$ZL~JN>hFG)ILrcW%o^ZC*_zmXy2rHy)J{zkGv!rZ39V-vp zrqugr1%-4;6@;;3EqPkGVJ8MoBw8%Pt>7S{LfH1n8m(%B-st@n%rzF-(%II@vGAo+ z+=dW`fgwTxQ?8>o-KdAQmHef1Wnc*v>NuKmN*8o%k720iaCtwdr)uTY{iNZ*~5T=sv@*Y&R3vD zp7FKf)fM8>f=(p+!E=L1Vqe|$XV`jA?`m&#HJ1YjHrni$JL~7!*3GnywMOd7vtJTVb-Vq(gHXAN7c_{C^NB|apP^W!sQ%0 zaB(zWf1fz)r$qxg_P;ipsbw-Me#ycr;>kVg-Za(wB<{gU04ad3)9Ds-Nu8R|B5vUGtgl!Ff)o;I zBh3u$C^8HBimG}5W$@9A+DL5NLABiHhQ`3BBHn9M9crWy_r zEt*1d03Ew~K>Y?+-ki1~Esg>~3VoOeeIh(4uIw>tui zO}>AM(;^K1p;i2_J70h^0!;t$H)G%WJc;C`OzGr9D{Kp4Qt7!^K$;7avRMg}zIa(g z)$f?EnUhh-BQB%rW`S8uJJ$3>lhT4%w_i#?Kz`_}D8VdQ535>2R+4X*k&Ch6%n_#AHo%WmjVP5f%@r zLpWM2QOq07aWef*Xr{Kfz(i^8_4^y{C~Q+9hc&}~0k`7}E^}>hCiSOfCf@U1y^*Yr zneT0Q*kjm|^ZhJ#Wu+jA@X!Jf|{S>%`>E`6t^YMab8O|pL z+4!sv_@RNmu+irSy}jW$LX{J#DhjaJKt-Ufx_(Jv}(LLvsX~jJ}$vU1M>Q_3!_=*{tcX z^Y~fpe|htq@>0K92RjJ#ZWxk_VCQ$ga>ac)T=CRg+A@eKmQt zc53PIeD>qs%iXWOwSBp@sp)xb>(=P`Y@zb)&ilCgvU@@8hL-!op>v~#xSe*-%hBhH z^_`{exVYo`g~z$#56?Ge4@-W}Pnl6sefu5@EoFU`9>)#W8~&ax-iAYXu8jdKU9#P4eeRIdZ6=a*u0ixUZDkih}a)&lnkfAot;?B+aC zD1EMpn;H?by;L)WqV*8w^kBM+`kb$Aj|`nZXZb#?Xm6~vbQ@V3jf8d^#Xep8?^GK8 zXd?0N4s&$7s`9-*doXHte0rUKd)re+)D-;WUi)}^x|=hKiE;braJ{i6_Tb0HM+US` zOOB&{kLUNNGp_`$Z|D53pRg7h?nkb!+_lKt*QYO^wu=ruHmW}FtQ=q6FDCK9XLGu zom)OTJh*NoTwC5>?R6hMLBq-_wM%jeDsudv;{4|yA6gDau#Pc}tRAe7+8vi4?hda` zy+o*cD<9qbZ_sC27OGcoW@=k9y8}h9&Zjv!NBb%t&b1sxDk{Z9VvTMzALIOONX4GI z&TdYRsrslQAA`lXd>-I7Rtyki>)shZ+!w*-!RW1;-qFsDJ62w4R~m{O_`N2>N;xGH zjct!~T8Fkl`{F#g=zUXffUiK0S&c|+8ey^m$HC%$g7#IL_<2pYH{Mu3)EW4bpX$lw zPvVeKjE^*5LUSG6#?D-SGWaCVLE~3cr3h~Y-EMB4^`2Hewy^w+o>o@|sUEy}obFS^Od@P2|T>$S8Q~l_2Nkn2IuHhKZ`rQ`}4|{tv@2E6=%SXFeibIhd(u_ucVl z_xsp4Pp{GrB?6vsc)b1C&fla0P8qsk65fJD`My@?d_O>$CbgG_erW^AD%g-+MXo} z&hBSux+iJU)tblvqg1YulSd3to%5A7+QLsESGUi(8n=)8*tbuw;M>G@lUH(Fzuh`g z{9~~lGvV*Sf>m!H75XxsF+Wg@fpiNeV7O%20=QRUSW*~s6Zz5HkwmEb{{tW_>2N*)hAa|ONH3}PLLinzp0`9@M5CDFyExsSlW z@75_30#-4wS_1~7{~bItg+N3m$?paU!NmG}g>xPhjO9`?>8DQg?h~@&o+KKbJ9m7V zg-vVjK_N%uOPtaYH1_;iioA8J6%*ZptmGO+dp&SKCg)%Q0TG*I-EHYR1MAM7qco!S zMR+96ZN;LcuZ)f13CTY{5n3L^LQaQNK8TxDxX!cN1fh{BC@5RO^hxdeXOp(ie)^`N zFZ4>Q)D?DjY#xXC&k6U$JaP;AHKCwdx3c9xiJ_k!tW{e=ltB#K5CpP&GrI?8JQ3UQ zSC;CA(mQG{^X%rZ%qa)aiiG@>g!6EiNPUu~6|Q&sZ}HxZ$t#*lqVZkzjooZzt?H-@ zr~D7T-a0O-wrd-vq(@Rxx)JG;?ydn;x}>GMyGI(NK^hbg3F(sV2I+1@NlE$k0ABZX zzt8hM|M@6Ycs#K-kiV z^K>twPPG(Ar{it`wlj*3QNL{@72Z8I0`%PiakWXl%cG{P!hC~D(N&_lhXCD7 z@|}tze|9i|8dTWX8PONEFYOi)oy?68@{gjP-s`3C*eHk%uoeN-S`=NlV(&Ebr%?Lr zpog+&<)FtXf(R<*OqBfCjNsm7U&SX7bRwu%gxMoQH`+lU$i2frA8>wQU^bOhER5~b z1Rr!Sn`Xbq&Vbj@N{fsY---XX#h$SNf`#5$<{!17hI#sMKcSMM9Tt_k8jjY(PXAF! z@vls!I0?s7fU{spQVB$NcFqQNREZJ?!r6idkdOc;{9}_f%>UL(3#yenRGz+cm^U2= z1n{BocR?um?ieajBB0A(lW4w42i)Uf<$7aSsKsJT~G)R7DQBO6xz**Y7QcK_L;=#**{Ix!xkx7 z+kvSQ_B_612U8|d;NGdB4yZwYrv`2vdiFnRNIs}>Cj_9zWHE?2BFMo&98Hq>VYv~O zUNkrJMDTmv4?0QfBm&eXO0g8UbxtbO?{=VS-1#fEA2R~#FPM*N#5%Yr8y}$ZK7q>1 z&eKZp1Cc0i-cR+&h_;ExVI6U8(D)Pd@Ss=oeTR7L%ts{Y+)60|`|i#&=etGe-o_TF7( z|G0~u=6`NdXM+jVisau~;fAZ`-?@wL-|kAl{^vrdyN*zKFasFkq}v99H2nQt$X}m<|s>p00(CV#aJEUiU%HZ$`HdzGsspXQ}?fbcD=0If6{w+ z4sio_Q>*Qu5=ofWy2W))pi|3H@fub!bfIrZx?gOle>&%S-Zw{WkL!$xxtr4{9@AMO zTbUN@w?VD;16@RrwY~Gb`WJW(t!;zK}!m`efkOYu=MmS-Qv$3;5%ADdBcT{b}LfI zJ}w*vg4-aX{H7H#6($rL@*tr}0p~U9JkxZ$=3kRnxG1?c%k=i`gzDn$6QH4w?z1e< z=fkp9kaPUq;iZd-h0tl(>;gOD>|Iyfh&_84f+>wY@W7BHZQxy;#P&f@>mrdupZ6;| z;BlCZ#{Wt+d&&@$%nlLTRzR{j7s2hE0AcgjI~MY)8j0W>DHqiKU)&ITMtl%y~P4zud)G_Je>GuDk!J<>d}z$pf9kfg8$ z&Uhj4==ly%#*EQmAE$mZB|(voxCtV91Z;uZc_Jf< z#}%DGfEQd#M0&0F$cb$QVJei^sAJi93i~mxElpe_$0}}I|a%qcnl74 zp}Qtf^T;rzRGOnhROLVeIjA8M#6o!aMWovxW3VG$q#-!0Dtpn-+H)I322nM|sP$*E zBxPV@LY?7W4+)?+4T+XyXhfO^wlp10mdJ>LvpSKu=^HqAzP=WJOX~GxF zApwRg7-l(m>1y=!GMSpDY{%)?@r&bNjmNdHOsG%*VF$JXF4+4MnM{!NIL>()UEV_Y z-drxEJAs1(3;D?cS%me1i7-f<(nkDW4zUlKG*QTQcqFV8IAO{LMz^!^k zUI%*>?LAp-Zu|;K$Bvo9IhgI@(x@eX0h^t{eS~m8U~TUlJ0O28*+%&9x+?2=$bgB%pLyTubsI5#63AvdfEyuDoFN1 z6U2Veao{K|PTQE|{lXEXw7d9KHNr?Y^p}L<$;d7i*x;-Yt5RBdM`#(boE{3j0TxxB z7|B6*AT=Tc{VZMM<-huQo5a=`PrgN>ptUK=g(2St zea}VW@nVw0k{*HTz-X_qt0MhE!5hqh`D!9{ zK;y&80nUc>lBXJfoG!H zl_~Lsd(wH^{%K_LNKTXy;ONc_Hj ztAY9ijt7^l7m9lzvjHcxeuT@i@6u}nd-N$}>E$ zr?8bCx&u9}r!|l(q*uH{&xicx_ccox1q?8m|*|w7=X`M z?Dia7MFb$LkuLOJ9)_de1)nhuX6Idk$cw^`XuZo&HO#0qu`2zqPG@$;YHeEE!3=GNios@Ey{EIDmS)1khJ9o!%Hf!}cX29hZ-N)-OVi`p1 z?IxS1EXgAr3)|Krrz*Njd%V*P8gQ>u75K=0QRGWq^(+of$^t8sjm9`zsVe6G8 zfrcbB*VsmrLbvCxSscX1`7i;_`}ft>`xRlt{pGkm2sW*%w9xnm%n_5!WqZQrFCVY)W0907u>&+Q=7sRW>#dceuqvZX;Z6_08kPgd@dK#tK^=1*@8u2c?UBtOR#N>hPxRTMDtjR zEWVDjcfu1I6LtUrP>=^Q_`ds^U+A#j(zc_ES`&{Skc_75=@aj;T&qN=KaRf^vgI>c z{M`bH#;(0HhpC`R)Cdod=nEhb^!nEu3zbEZ$B5yHp9Gm)P9}CxQlfv-MecxxNpI9k zwn6td0XdRrxcZc>?%}RB5I#h;SADU{C!Ea65sybyW6UH$PrNHe{C>>d-H&tUL82Hb&|7{WvE*xulB`Zksi;Sn-f(m0E|9w z?jF?~-K(2wyxRnOuF)Le<1f~e1 z4LS0}r@7*h{27<&dbrDoDm)i25%2p{A7n zO_4eFT8RbK4*nd=LtGlg#I0M=!Z%@ahX1`?N<~BK zTI{;PJW6i|pBuM+fs2R3!|U1$P3*e6fH^oVV?4vb&=`Nwqx+l56d+J_@=ecN!=+*$ zfGH$x3uRS*SAGM=4qPM$I6>SvB-2;PeuMdx)iUNc_BegLB^BES=+c1WN+w(r-x+!$ zV*XbtB#xlgf0!Bg4cZ=3@1K3TIpF)GRZj0+p5mPcRQ7s@Bo6|vo(3}uTv7(Pl)y&M z_nrGxG{(`*cY-^#LlZer9f{l?prVS&Is|qMILav;sNPA~K3Z9v6@?3& z=v~=<6|^&Cd2PV$-MP+uS~gDu1km{uH1GKjkETh>q2J3790X`@1bw4DUgwo$srUDE zy_4%bTx3xqyiV@ry-ca+kjQmVB;_R>o3~JK=fF)u@_atqBS{yz9uNV*neSEv(ytFx z2n-6DbwnnUhuk35Un%dca4<&gSdS!TLvQjJ%7G|c!vXNR6yJe2Vi1%8K;A+l=_d!> z^HiX)dwqg|q%aZ1H%y2lW1k>K-UAoPTe|=)FasoP=m}J9q0KCm7i-YZHCV?B!zGVkR6GIJ*lh??n|>YJg@;g0R)@h^}jKC?@qTv&Wv-NW?ZJ{^m(Z;q(py$h8DtHw>fxx;l5!*q^eJd{8K&aT5#k81W2LfLakMR}_;sR2^K4&qpV)NAU>km;m8&eBK81_dph<1Trtp^Q5Y<=Ayj3jf!OV zyp9J5K&uZxmjNckxxn&(mAVIxe=p@MZrp0%Ha=yg28(PrH9a#wsM$(?KeaW85`I_>p(e5Is%Y? zUF={jZ4%j0oGLqm#G zET-q4RY)t-v_%#OLVf+u!R{QORW_f^1)^q`0wH|fPw-O7g_NNkvyRWS~wj`K^f+l!p* z2AU|I*QY(|3~FX|?e)Ufxj(xeqDoum&&2rKR;1VYv(55N&Qz*9;A>u0KlW@MCtTp% zM?gD()^9FU0+9yb1#C-C0A;Sbh~dS=)GjCNTjOuP-v?GJG-KEu#MSy6ts+J|fA=&< zh}P92j^S+kRK_1D7|>80F=Vw>A)naao-Nvrg#RSyyXfbZdr|S-+jn8S=;fEv=4`N2 zM!;Q%wfO>?L7|9;p8{$+z)ur(fGtg%_5VU1{yjTzoK!Fo0m|k*Zl#83prT8z$oPW+ zOzYxeCvGkyRurA;t=?O^h{q|`!Q1K4=^=w~pIyKwZi27O@XgFSfzGCn#mIo<+ncb3 zn<07M&xipr4)pGV8~FF>>hz8--7y-#P@B*`=Pn^aN!0z(`XVmdI}qD)vShWp59UTZ zTL5zFqF)>&r37MhplbWY{BIg9f$VDI03JTj@H1RTY}TKs54n$6z`xLL=f1e;;8!1@ zyn8^!J!qjdXFit)yYDVr6x1dWY(6y9F+~!9v+5cWfD#CFo&gd~*#@=rWDJC6U^2+J za>tZCvq~XA=zYJaDP6{ZsTn>Q%nW}E|TMh#hr^UbTBKq&5eg3krl|`YFg+_%WRWQK) z5k_`-oOcckaHDEc$_7Jnnc^*kgQZ59P-*Zt244boeJBUe2E`$%=RXY?bW$^)kDw_F zO&BM4jS;jpdC|0e@$W?Y(69h^|IHM4?c2lM(89a?=EChbq{1B3>ag^t1` z*?s_}dvHf`I18GtJb*hq?s`#=+;B-C_hUm7>ixvzUg;N2^dESZl~fj#{fqKCRhkJ| zz#;LAbK>oI;uo}fc$H?Oz`V|lYWD%=KvN4?MToIx^pLR!r*DJD$vE`(P1F>TM7~HN8G_CB<_iF!r-t3ueuM^g9{tS)z)Ahxs2qTdwPix;{jG>v zR<*zo;+~Q>V01rc1D5`$>$;~yH1{L=}VyoiQF*BFL@>2ZAJDpzbrO|>XLZxqO{P}GzRFg`|Ij~{MDnYMcO1_=%Gvw zcr|0Piz9li;fN|TH_KRQTC(>6&M^(p40HM?5*L~)Cp;ep3e=3T#MEC|Geu?o70YCh zO=Z3J6YlVu6K-(#Y2kEH1y7ebNRpx*#SDy%10ZG3TmK>U?gIJ^SVmpzJgJ^k_ z)yVs*eOI7coxyMagKHq_bbHl&J^%yLM4jFyL3&fYYQU`j@*2R> zIh2A9;r3Qv@)M7J(@f}yV7Q3u1b8h#0Y>hcvOF4SDZ*6)n!QF#2o$ll2u*)g)qxPx zyEqN^?9~4!mYsA9^y2VH7*rg%o~f~D4%~58?EeB8(BQ3LN!mXB_3K~x3aG6BvTKA+FRsi-{$Ecs~+iOId(*0m5 zT=drugb^sUy6u}fIezZqvC;E>KmiB332-=Ilc=d3h$g40E-o}Pc6LvWX3&sjB_ci- zP?b?||GU@U(gm~*XS-74e|5AAlmaF#^t&Kj9Kh3!IRL}D3uAhSn5`ckKy3bX?LCDC zrV0~OkE9}h+iGkS{2w9zCRKpPq)tK8kLvpuO(8VEIQle2 zdgL1iQ}`XeHVX5gnRfH!59se55`v{Cnid3H1!5Y%5un>b+YR%C`nEcGhY(4&9ng@j z2R47x0~UbIh2BS(+sHtoa2a3pcs0Db|58xY|DQ3HOPZTVlx4~A^(s0-!Z0P$<|rdft>4xkb9SNlXJvY>he z){ki<3x3`nN&vZs0^VkX-WeDwoS>-S#sd?zw)@z*3-4{QC|qdNGm)9s=7HCAe@`7l z2Mhlyxqz>LDFQlid_w}1YX7HCn9r>#GlW(zsI>odIne3H){}oI6%1sTBRai-x)HX0 z>T-bUVHyT48<;|UI3GSp8b5CD0iID%WixF6R@bkFRtnMcqK8TW%=v)lU!Es->`bU^ zMJC(YxydpRI-YwTncjVubk(ONDHx%7aME2o6iBz2x^6CM{cRBZA-e>oR zAzP9xqeEv0J3Hn4njB;gyFHYCfUf}MQiF!{;qV>V(834EFEBbL zQucfN-~s~%oOwHFuMeFM?Lo5?tXRyey;an8u4qQ33}PZlfRavEt_FhuPWpoxba&ef z@h&jDDVqdM^Jf%M10qPb6&FHz-53nCb1!EG2+REd$@64t_VxYob;O5Ef@j;noE7N3fTy7Y^`0)k;0~Bp9wU}-YxSf%Cav>53MrLeCN=|mx%7SyC2{Z= zJ=O#gc+p=Y$U4AJOGaJ|{2PMzu&|J)>iNRJ3RgUQvqlzR%WU+ucc&W&x4_-U?;iHsDpAvtv8&&5D z4yz$TWc7*2QNypv1rUTWWj7|^xQd1CzK`lDt#td(Wcu3pvr-=g!eCwhdLARDcmnUb zS9-xo>u=%53mnF@eJ ztvI3CbAh5A>47LgYC5nlCT##&vx%zG+p$07)!B^^4Q^gF3kNMtv-(XQvA2f}p$k5q zO)WDESxpOq^SVEH=H}+QleQ|4m2aCHZtPrruj7S(_+I2L-?J^uuY9EhVSkkRy(PUkK6B^tltg4FA8({??04V=<8Y2EHbC zpZdNs%C~j|UIkeDtV&L@)}N}B1W1MqTQC^^K;C@FYlXX z5aF=Qvt&#{ojI@DrcZ9-G}JW6XJ!uYH31UEUT;h!L(1Q6m}JJIFM{f1z63~PeU^YD zgI!1{EqTQlnTR{iBtodtJlC$uCafaO-+?0Na3mZSjUWE`DoEcEC)({ zg%9EbTCl&u&%s#&DzHWxjBcZ-jGHVPGmZ5DJQ0ct&u6q}r#XB(n~lUdwYUT%1(MlH z&nyR@&2d~JwoXu%&HZqxpClB7Z#6_t)za+aeA{$t=_yx|xS5xgah*575or?v5IMNo2Q z%wbDOX7`>9o-%o zJm0n>qEbS*3<{99-B+c@f6vK6EiURfi7GU}X55j!_-SjY#p4fdlgFR+^OefAP+<~b z52x#2((?T?wSkqjjfWdGSvMD_-P_THOO0OF!DKA`=lZ_q>q%L{zu_qYH?f<}k9uu~ zGaJu$$Cp|>_x){A1nAqZIBBpKD5cG_3O}T=y?ge8FzoopHeE6wza3naU|s{GykBh$=0?QYZ1+T_c`~yvS#<{31(@{hvd!n16c2iTK?znnMgh@AeCh)l|{!j#R~T=3r568eJ@)UYe~-1$ zE;a996Z<$5!yDlkDrE4xv)ZFJ*Sa){OTufv%KU?7`S7)aakMrPB7Vw2c!?H5v}l&k zI0u_+K_E7^mxyxpYQ<`)O=VUbsLofqGntuhwC%z!;>@-rzUYNq;lJOu78p81Htt-- zIxQ1x`83kz+bjmWrwQ`8|5z3MrN`piv>|@oSvL%ZH%OM>dK4`@Y*CO@CITfnaFcuO zxWhJ3u9;@Nknqv0&dA#)rPXPWP=>N?Kc}*>zkjr&k&`Z;j6YaGXx@u5YbudHQlDl~ zS+<3#{et>cgFr?9+YNU|sV;@AFDVv<@1{8YE7`Rhj$8&lzWSJN>iF^#(WnC0NjS3DO|Mdj4$}Y z4x);VKG}DRh?bjAP2JbF#IAQ7|@&=@}he{|NY*`PAz@ zSXBE()DTw2_F+z>&+-cjMtJSsYDGbyE4BEUpuPDtMPH3qD`)Mq-lB$ukJrUMS~KAg z6K%f4f@9(cY>M@*er(!A|Hvw@#UJUTe6Nx) zUYQ&!PJ=gJqT6ox)J3zxb`-uMY+?LWQ1ro&DM{jlc1fEGp_K} zF20+Ca3DT$Dh#RK-GrwvL;p$q5q_TBi+8tXAGePY%E+fEfB0kCgg%nu)7OT@XIxPU zJ_-sEgvB>2a1p6$eZtZh@*#lV^0;PXfztnUn$Rh4CkI9fW3RUNoDY5v`LXhcxNPu6;czdH6jkqzRl6sZZPvL z5bF1g@$5JaTkLB(ZdN!t9G)(0UA)uP`2NMYZu~TvDDKQSV)x9PuZN&JnZ;xyTGPvp z>}eAy3)H0`dsVj#t3&)P!BAL0O zy0+u040bT^TCZF9HcuYpcc3U2<#&dn_)bZtnHEen;fNh@2mMz2zDsfCK~738+G{38 zrdC2(1B@?C^7B6C2wk6fSK4?ho`t@wZ+iRoXTy(I6}kl&pMGpLxI9%{0?n1S+kf%a zC>ghQnEn&{bhgF&dP`WyOa8b1V`W(fD+Y|YcHOHTxA_GZzR(S|3eBgBg$>4^{v0JA z@IZ1eYj5XY?4R|nQt-@{@Hg4~uCLTA`T8S1bj}-xY-erFGDTr*$YNu_K9=fL;;Ac(k*0;QU4Kdlf z(z}^cyFG;%IVjOszv}n)kRglynYcAnJmhteJ5*Gu@jmnXlDKZPjPGiFk8!WH^3&qn z$2^dnep6-TAL0z%q@jw<*(IURqzALNJI&X}N;eY~x6Vt>FPYX`p7>tbUaf_OCho56 zf7H5KKP6}I}0z=IKAvvNAPKu`j3fLPZ?7D;k`A&$4eMjO*Z;_ zpgv*59UehVZ=XJ9nNfjj8!{h-xOUY@B{&rcZSgbH5`w8Ge9xqu zgWFI`wUd$qBtFSAiNX!?;Zu*4eI@q~aYjI?DtRXJ!9q|J&Uz0G+k9RmMr1F9X-9NV zDgZ%?2akHB-Z!0k+8w)R^?Dd}y9ic2iZW5u9QX9k8GT=4(dcUu$&r-b!PN4mnvq=r zpvT0b0c(g0N{@)Q4+v+skr%(JV%B@pa?(~)q$ipE=w( zUp;BPnl5a(J&zw(vGs_UKpsalKrq^-5ZM&j2>}rf$3NI0s#Oa3m=u;9vKInu0H$aV zd6}P<@TcZF5n(gET`HZ15YjppP7`T)DOLiyk{v_k+@<1meA^K7JStYqWMn1;M+9y- zB!5V&_%anTW)LzZg8icjK7GOOIvS9KKP6^}s20v{;Uho3saqgvU-Zzx=j&=M?2p`#v5=~3;^oWeK z0XZv{2J$Ad6~bdUeE-l^X-sltED7XQ)FS6U+msnu?*6gL8N;cuA;;ozi2BY@{jlqg zWog>RPZY*l#p{?Y$oE0A@L(G`qA-n5BMCJ^-1XmRt4Di8mr+X}RUeOZ`7Y49>0-;B zcFz&vk)S<)nL_mOkt=t#m;c232LE{%_|rxfNfQU0LGmuzfUs{VI?9sMyzb(rd{}{D zvK^G{bVfM#z;9d#PzuHR$;ePsV!xIZq^{U$y1lh2%rHfn>^FXq#!=fgr^~<>8e|;8 zBhbbZDzQ>zCz$`uRKkf85i34S(pag3b`|)!5;qAiO4!&K842pLIFDPicrX0zTcfgH zNjJkeU<}f*?o{e;NCu)E6m3!4WpsEU%AGmLV;Rg5MzFPVW)Ka*jZIbyWLLD)6r%QNElzzP zq}+}JOXBI^wufBsVA!?4)Ic#XziM!*jpf`R5 zc+m`{_gw`7gqPZG$c1q#tO6l*M_u~=T8VHNEl7gR{<1&DV00Tb(*tm0fcA(4rhP(r zE-Z7tV&@n+tyvCojy%3(Z9QEC`Lom<}Ltv68~1JLs@6QNkr8RvC+fC0sB7Q?1+VaxC+}&rhgF^bzNphs>oS zUbl`K zu}E(HNg7zbv7nZcgsSp$U+xpoPgw|TRFhpK6 z`Y>KOq5(fhaGTn91>80g6?{p%77hul`8owK!ptP2_}8F?Ry+8IO!Pi zLK+OIN4e0&baC63*(9*gN!5TqzQ~QfSPv#`#dk^@c$&@W@x=VYVNc~!E2H@bl+Lr( zQcQI(U<+HHitf*^wF%rj7q@2iS3usukG8zJ-FHsudMFOElaVQ-+?)iTmqxJu-$<5d6n%6uAX~ZK!z;rJ+k|`ov|#z(LopLso?my#+Yg7t<^hPQDkJEjBVt&(mQ39HFQg|! zC9SzuezXUeU5ARxL8?+m;s>_-y+N;VUr+ap@h4p%wm$nhL?s!O~g>VWxTG_Kt>rY~+5wK%VES6+QrbsCBgqp{x#S2Vqc zUlKFkZ+Nbepny$8c*>mBHO6A3V-q|<4}mqIr(pJW!Ob_L@8SrrHhUze$Hz`D2r;<$ zEdGyF)G~l75?y!{{0E=gXsyYe$&CnPZ=sH9FM~YSdpKuhWLT@g7-4rDP5*6BI0u>M zHjHxqS}kH|M!`~N{#qOwUM<_r&1_3=m%D90pb(jheF?V1ff_6&(x-xsoqvBF?pU~v z*e#S~g;9oq(X369!)q8zf)lalRNX1kmdm&RhwcA27qOe%vZGPerCmxa#)txAgB7!5=R?wC&;FUq(W~$S1KPODC!-y4#Sg!G%R%iRw5=0 zE=FtGPj>z?uU1fFOTN)iY6icR$ln#<>);N_HjB@oO6YE1J7p1Y16`lr2Tl!^aZFel z*ZUtn6$yEdR~veAgUVyteuMCeN4hu08>LRQW2QRue}#Wog&i|slVt|stC&0iVP*@Y zv&RUwk+YjTIj@kLba#_^UeZ=x(K~csG{m0oXiI=NvnP_MA{?*b6m?2Rb~Lx0^wxGt zTCcy0*k+OHD|rf#=%9bR<)xfAMxFf zyYZ;Laj5W6>6Rz094D9mgu_t!ct?nT9-N_Z;iXXc>68sDol_j$FgblfU?QEc8Ks_d zfR}~i`Q^4G!n$F>%p_+kFR>< zz+`&YA-#w0({jI`IZqh-tnTW17BYU-FNwNnOWH^&C%Z-Z-`=k-yzqlC5*-$1I2!>5 z_kPmoXm03WVyx!mU}0nCcsFYF-issdjy?62`bEMRaunx;?nk&NE4xSlVt`OY7~4sG z<*^DKf#*cDhBGGs4VdqrhUmYca-llYY?eNZ_u4Xk_44(ST?!gk&bc@x%7;&Tsfq6F z$LsjFf7aZLl~y(1=f$(sxXkfu(`KHG`LMtE+;UU5j`q&I_>RMLini6+LCs>%c>(EPJ zcYbcheS%QB*SP;=tkd|<##C;%GO2Y+C-uc1<>GX-iz}({?ByW7=205UW{Z2`$*L@# z?`X>HCgid3SoBiVDm_FIubWnPU_c-7U2Q-@V+5>SH zDJLkmR=r5}Uu8D!3r~Jd@sg4m>V@=H(ST~kMA1O5eHkLejtZG|FaH?f{T@5y?V6bM z6;|HN?TcZZK9+oC!`N5B+dndu4gntr`lO$l_9n1=bQ0Gii)2-H<20q($f91em>4g3 z+mf|14!k)hd1y>;UVng5FdFa1*e12*VC}6F3sH)3j%RK``KB9%I}-CsGz(x}EaES1jaxmN<0q zv&Fp0OK$-i-l|`grR=(yotYnP^9OxuM{@ij?v^e4XMyiol7W2zq>tm#yTy1+Su%`e zxs&2ol>8WMh6W5I2fPT8(IyMJC1qRTy@Ae5;J=P96i4d zuCR8sJ*#=w)IiW}E|A(!yeJ~@6g?hRk6p`{SId;ZWV6|Sdsq2&ZoAePv7sWyZ z(x{R8&NPB2N`nVyoDcV@!PAWFnYtGa?Zg>`Omp-*lG40*PwV$kjq$tEhuAsMMcv{C z#!!?MOqCc^zT=}~ZOxX2g#TLMO_k`jUwWFY>F7JfGj7f;%rTS0v(9@2E8NYnyMlgJ zGq|{97c{^xa0=R_xkb5Dz4=9+nIQs4B$Lv#L{??HSnK}AmXqDnVU;}XP{v1u!ReP~ z$m=Z}-}lUUpK?!<1r=$Js|?wc;xAO19n`Q-yOYtF+!}ur?jW<*FERf-Sa31H_br56 z5<&VLN%o6B$AbqM%%`gkjpFRft`TQFudqEmL*)Av#+!Q!>{$ry^caGX%%=>nx@Ehb zfhzr^D+#n&xT0NL&^KMvS93Mf2hC6(_sB}dc;hSLjTQ;i4tlm(lbj(G7D1Su_AXUY zj0M+C~^wTXdScMmm$?R>03~ z&UzAW(EYjqTdhaiGwL=E>zYew(|cEI1IGdRRCA6#YJtIr#_V~<^8QMCIYz}7^5lL0 z_SM7jeRLxOos{V57@rNAaNiDZp`^7QlG}G%IdeZ28%K$wzOdEKXSglyHU6&n)c%Zh zr@Gu$>pQFp5qZSM)ho_mk54BZ4WZef47c~&%#irj*ejME^Khp>sL8jg;K>cIUQM?zv@gUYaC+1oh5~v zR*#Uc|3-oL!})?FcP>`l(}?&CX$;bymv+gj{>q4EdtvRDDD&Kv!9#Q8B#~ok=A4b| zZXeg5IDE9}Y%;X`1N@SXf98^>?Z;dliilg_e;YOi7}$EBvliGahM$Ua_oG+S(k`jx zcWG1Ueb?vq%}PaC&#d!2mJ)7q5B#CZn`~n3^FH}i|20a><|0RF=EY>^`>>yx9j_1; z8V~t(aeS>4S@J{Xiac-{1-wpIQyK)`91EmMn|?-WOMLNirV;zb=5}ze-PKl4kl)?t zpyp@V7R%$ar6w=W^P|DNWqS>(*zgm3R~f0Jb1W-{7s6PeqM4RI7fUHA9p}h%mp9ac z)@g$Die?309+_L`D){neufAErM)yjyjvOO>2NNOo{RzW*O}bU$)yVaCfd(-e%$6?^ zL@d8cZZ5JFy5wijKh7vSAY z&fnHi7R}9Gkt#1^2h*n0NcSR7k-YO8?#JIG>mz%5@MC{pV4nME>&{Rw_vXmc4W1GG z3yADIDO^D9WHeGQf@)d*E9tYq45ypHN=5zi@--0BEe}1x)c5h%c#>NEg1_L)`thu& zZbe;aY(LkPP49@6@m0rHwO{-^H#F4S2r-Xjy)AV|jTaz=`aKaVaZoxf6S?pJ(iR$^!oWR^I^ z{VsZY?195n9?Q@>fAD!=`N__7R+WLD3>gG3-S*JVw-5WXYVfhNa24hLlGn}T^3SXr z;GLgU>F|oRB}leRYLXkCW`{(T(!71yh?_sqi7=RqzjtH0lIlOZL7inE_`E_S!QReJ_6i?RcmCUo}lE8)P{7y58L zS81}Y(S39+OFoMWdy(9!AwH8?{rWE#q~3@k>im%~eMQ{4`woq)8FN2mYctHcCB`~DnjJ8e*F|=^0H^QkV=HkBT*0Q-2KmQ zJ%R%r->|I^L3_-d`ei1#jYsAfBI@?htyjMcvA}-W70NtP5-d+{2DV7?Vig813`TZ| zUM-IpfaaB$TXQCVI^wcTKYpuKhs#>YhxH6R$W>oKQLp)}ZubfoCi4twimIk8wZ?dG zZj;8CqIKmZy_w?l5UeZnPH*CJ=Hzc{7(W|^>pG9fSNw%vx!c9x(l(g*E2G7rcB$OV zSZY)i?4YgY%G2~E!sL@Zk~3~9>o6_x%r~VJW_6h;|0D$CqfX-aJm$pU$yj_%rJQFy z<_D)Q(W2wp2R|+W4LJC+4|C-1`P{JC?5g;w~w7gCP ze5RPiIagL)%*cA$RWlW=P@Kp!<*sx5+7;vi@yvY&+xK=pL^u-VWur4@ zLNMfdyjl$z$)?^V)q8jlu?-PF%C;Gk&V7(M4U~8__%rR8{xteE!|6NeKdhHtH81)! z0&)n&7baO#(B7W)OI7O$50zfJUL0)14gCo!)8tTy3eBy2pEOx^spA)sCiol zXMu70V;t%MR+V{LqBg3M(StB@6U6v}mVA!$AKL{5u7tiSus*+6msM7GxCs8Noi1-2 z?xtTWTA_8|4`9{zet@^{LSogr^4EjyKf`{nl8aApVuQo06A~k^MOB}S=t2Q8?)+LE zo)VWcS~?4-8`SB_#hkfg#cgZVIdY^}Y?14Gf+yMyd&ItE6XV;whCBBLftx9c8rQj# zBO@2=5mfcsw9YvSyC7H!7xyMgp4T7C?zoGuR<+Y=bj8}Hq{neeVzfoucg#0+O;aH8 z>0>f=mX+J7D@n+4B|;Id_zx^U&39Ev1qS&g$Yr+k17t~_+w3)A(>EKGqA~~UZwyFH zepW`Id5DHpE%c*@y;o?gtxhH#&heR#^VYymK3b=o-VJ8*1KEroe}~Ir9(swtby}_{ zw5a`7mSC^j*)c_cA-U|>6?B}O?5>Q}8L4&l9+T$O$@2dE5e8A-j z-qbu687_C0Gn-#hf;kJz66qErNei#QIg39m_UpIie1AJ)nD^m%L23L~pO@xOHK(4Y zA)+(V1XT*@Jk}$q@jGcB`4aaT^*blE>;N0#_g2Ha$w)jMB1*&lDNJ3DUSbb_1v1j7^j8d!(rzChJgnzdEd_iK1 zh6sg)1w6nrrD((zjD+}h*Wb?*T&6eJfUj7Ft-Ne&{^ISZ`~2+i*}C^`(d4U+vGt3e z!Rx1iTb~n~sA`%6@ZU0R6?C%;#LSs8arh6&kx?a{)~$LU=BLEN6V!@eA2ePpv@L9i zt+xegu_Lk>zKFsemEI2XB&Be7cJMp*=?ENFrCxK0EphM8Q|UIzp|w0%85%&gU!Q-f zA#`O=P&e~fARx*Rh6=our7c89W%p~pqH6Fb6H<`2Di#W%QmpwE`A1P@Hfe^-7vqj3 z>`6hInw=$QxsQtdsY``r%BHRRCVuai#aW#X_;M$1#d0jXu5gt^Yd!n%J;N(hih9by zA5UF;yZi<0ut$7e;FqsgoANf>WHGgerx?Tf&G2>NuYDg;%!-bANb`u(d5H*DXs5m7 zcH7+ql@&I!3-$_0%P}WmFdl5BYWl2RwT4Ld#=eb}Phl$_4_UMSB+H_MgsR`0R;%S& zTfrxN-6l)xITp#`HRVHNz3P$lIylQdMil2LL@EY`Zn4r}zR|wlE3)d59C}9FsfY=` zHy)ndEu7;xZ!;uZey?)x$Il5KS+Cr{b)#iC!OD%Jz1yl_^ecVEKUF4{c=g9`>3QSZ z@RmeguXF9a9e4TUqD`045E(nN2MSE<8>+c>o-{s|<{OuJbC5PfKA3Nw}xIgV&{Ts#zw9N7Y&sDKL9;I!oR`Fg`Bd9)T!}Jj2kL4>txc-PD|yQ z$R^xH%<635o+ZkBdI2m8EbFS>qvn((T3(_7lj(yey?Xvr^>qobAd%PUoGO1?*1 z?f-&e^8UYqCO7C`%}@JBV3Q=ZksAu!5M|?c^Jtjd2K0^y`;iYnSs4?8^U{l_pg3}_ zj4%x{olwuBlEa{rIum|(=fXDpg>c|CP4@g9mhEj>IQ=inOy|_Bq;vRWiBCeys|GUo zMOflpx$nASDRzsdjhfO+&$2v5^N)~5ogrQefdX!Zy=wQEk-pEo( zJDMml<+1pSRyi%z46OpUor>+8^QK+Qf-bhR#?|vB*sCoiTr+YDLoobRz0un|BaJ#t zZl;%4@=I}GSPQtI_;7y8fX?z?uitj9iC5w6E<0$%<1WOXN)Vrdlc#}Y`|)}#+v~ic zE;<&?ug9RhQS2#nd$Ev$=u`E*DET{4rcHxT#rekUEfTKgvzC)$!)r)}N_q*&-4spE zPyr*L^OTYq^iPpJn@(78a@eOyRRrf9f1$M6`Xl)}S?JN!G3ZdI#ul+)D^$y2=Z~tq z?F~$RZ9|Us$}*Rj{OmNl$jAzzUpd#n{@!(r^z7cPR^{R$i+zy7Y#o{x$#>f%x>U)Z zZI3;PYtC|A>ki`$+x55{4~|+>j!VVTuu7{ombEK>K=l@pD4I(}i3&P*&}PYlvW;5U zM(R%FFETP7i+^4y)Ah%9O0T|a>9hm1P9an7OsVz2quel%%yfC&)DAl+h7a$*g&u*x z;ry7DH%4vbEE*%yP}(&Z6oR>j@n}k?D9%8N(lJWXk8p1ZZ9t@VSRq21!QNqLIZ1~j zc(zZq+1?z{^||}a=A*i3bs>P4_+-ulI4ePA-H(qJ$Hx+AQNYN|3^D6;@Jhh|<+o%9 z#f2g@6l|;hZQ1hNaQ#|v?RA_2HE~WWym0yi*sq!FpdO;!)$^-K?kSRhPd$Xr_tOBk zm&LqpiHk#E~7R0A9a2eDO@Aju5RWA)ydx$3G&ggu)NeLhruWe{&FoUN9k3 z4?c89QHdFb=i-G}ABOoTQqV}M)y(4K1<3(b3QDOaOP_*LDG2B~V|b3f#78c%)D0yV z{z#6A(L%OhBsg&-vbNO)9Gs>#b66SzfxGc&pn{a05{^ZYg!aC7^*B(oCLXCKux-<8 zju8lkcj9XCHv->E^2Khp=%>g_f>?w)Dd9u`YoseH0~UBxaw2tQUeHOW)YkWri33F= z-i)DX)(>`V2I@#=?yRkTSR&!V!C99@_$ri+m1;nEJzYyBAfL)+6`)Bik;tLEv_>BN z!$l5VEn>KT(iMaY`$D=xUU=ifs|p(Q>`d$Rb%paJZtkw+J{5nZ`gN}$B)FS5e_2VH zg(h)6D8h@h!jdnpfeiMgt|Ebt4u%_(*?M_twxZkC$#{F2{7h0FS;ncNn7pucoH$MP zn!z=QxYl(lIx%luCsH$=WS=C*wZ)ri*jBW!@kpngY%@A45sZ->yP7+IIbaP(Tbve~W{81H({`_R$ys^e%K5shGx>b0t>12czx2c^(FEu5q$L;wsX5nhN4=-rLvR1B*D9q1CI8s*8g#3Zmv$HW*w zUugg^z`a-s=@(Y_C^+WTscf(d8s@wfY+Q8_RojB{9~MwAnF~uhxrW_P^S)*SqG@w| z$m?p|Rk?g1w&BjIcE}~|idI|qwdR?wCU>rR_WUf*m%6jB3p4cEC6;Tpjk_g3P_1Qm z<>rR_`TCTDl;s^SnGLtC&WeP~fw(o9>Wffr7;{^$r@e;5>y|mt>BZ|7vq_#r zp%r)iT5`0m8z^^NC3tB~0zxNIsQf&FdKdv~K&$Jqg8X;zos+tNVbfpU{(Bo?^W*G~ zzy5Q39M2IcKabjk)&FtZ)kCzdbsJz#HszMgp8DD)%6D0>sG;?gI6vq@OK5MEm!;%t zEU%Jf>A<*7hv_J0=gjS2yS4lE?J`+Qp5*g^dkET?bM&xgdcj7AFu)$yzn(^@wD1?1 zV*jpdJ0i8Wf43r&&V7t~h$39406@2w=E zC|;7m^>x`alFMJzL?F4YOLw!Y+1``E{me_%-_P#C&abX&Hi)KvIHt$ouCz27pi{5& zMf0|>2~3t~GQWt+J7ho9C8(!1UaX_!Jsh4z8L-ABTJnot+SM6!+|4x8RLTsYQVwbD zqJZwcY#_|}bTLAG$?2==t{rl&&E}QcG1Bzxn>RKOVXK5BQtiLDGAptu3Q*5tm8@B1 z57#%igp{_@@ipX!>t{i)zjV2wHNu*ugiWac5xosBqY7W1pVg}P<`SceFuuI5mSsAz zX?n<|uuPW{35H35g%L352DSGTWJ5}Wa9g^Niu0-H80MwPmm&`E%T=ly^eD& zWW)Io6t^;{Ik*UTc3GmfGHlt%Ffj_#z@}7?`GQiRnE8)%;fxVTKS@z9yB|MCy5jGftJbUkzd0Ubo0h59{V=TgGHjP1jlEcVaoPUU~QO_n{pK4R&`rm%+@E?7aYVm>p1C z*zQzz%wEF|&hmU!3jD50yk|;ZVRuLj-UB6}(86xAT{W{ne@-dYk5TMloInKGAIU{% z&k3pRYx70%b8aQj7hqB-85|*hNzyAY$r%LpJ5Kumv}@YSWt8n=%?Z3CyVaj98O9jg z3hO*uJ-zrOTTG`ZAoURZ&euzz;nVnNn5OUP+9$-VszCTkUr-{M-_8i=n!$qm*ZrQy zv3O$Ht{a5jhGT$q5$IpXpcffnv&klrJ^dcXleT(pymLEFaV21Zt=K8IkFpiqfwDbx zsomD_bJ|77@oc`pb;hh=+5bzoko&c6B|Dc^kl1YOU}qHvr`@U9W=;^{?DIN3<2eit zj`WOYMt2}LDjg+xM&>PZm>Tc!fQN!l{FaO>R05=ygsDFhH*Z)9Xx*xaMt7+y%T)DN zDvZ4UDbVs?{%Tq?bGuDI`;S}p@?}lQtv}y3{wKHF(W0Ns_w{a`rlX{HrvI=uOM8Y2 z_t_u+e4BFe$_Er;^dE36?VC)18fmm@_Cu49 zlwD=ZBFRIN?mpe&ANO|g$9KCs_bMqc zo3ar<>=dO*M~Dqz63hIxieDC4iPujVD!+o4c58MN_0HR%f}!bbb%bQ`)t4EXzIN^@(usku5Y7Adq%RhCBUchG^fyCRCQaH=BNkyWw){yz%G@~kSnE$!a708sU_XJWUYUNnIIsFvZKaZpk7U_hA8iOd%4cC_h6+?nN9Os9 zgZ+0e-yXhv^Ez)yQ5I-oz9q;T*HUI%YMU27M&l_IpoIVTmF;r1TAJZLF4}r?&>t+0 zhg8Z5+F-eDczYl9*akC5z1gA%-6?KG8NMX96Kx?e;FZk?Rw&q@Xl9{Q9yh-fA%tCp zCW+AESzkSkp3f9J3I=?(K&dgH9y()yJ!61^cMcA|K~*fg;Tu%lnTaGnoJEribOz?F zeb_y6=bOXBw+ApLgZl$OqrNeqld5^?VLU?h26G30#!@}U*3h%>M!VbKl!Wq#VF-#P zd{tOhe4d}zdQY2&zeH>DS0J@( zx$jDAhP*2Hze0G-yS^e6O-M#_7UnEyGLZFDjbL;mY!R286wu_vgdLSx(n&2mjQcat zkes_XREf)bQS?f|crA2U{y`2VRz_RipjSFpYKH;LUv;qL9ql%09hk8qLe{)y?u=Pz z(L#cjO|bC=e9Edd@MSD?7w1(c9Uo9odfJp#rn*Tjb>@O_-3q75&);eTzKS3{L>Z@?w;< z0 zu#D8scYzl+bj{8ZQa#F(Ll?UBlbXX<2bNvfSvJ(@z*HYVN3dc~X}#jld=_fpF*FKt z;zauvDl~yR)B#Bx$rOOv1dsuT{fG9$ou|d@A{lcLk_#FNOTO>#H6VI5Z_AmQ37mMa z0I?4nX_+m_1jl}8$-cy#+gm!+G`-fo*62KQr$Q7hbRK|X7^9u*SAMb7n;Hc4*li@S zKrmEbo)%oS))6{CLrB!#T`v7eG)k~vReKf>XXx4`9N;RzbFWO|;}oQS+E7G0+!V5QDEQba8RS*c2$_ zF`~LOA}r7`W68u3d7;5u1>BdGkX103sEdKN$XzLgk}l-0T}K_W2Y6q4{Sp&G{SPi# z?E&ibTzL4C^>eJ1zFJK7QXK?uQ*Ah1KN&-y;b4A=Z0MJ(l zig{9Wmatfnrody%P$vUf^YQTDxhzz4tTHSBov3$GJ1l~l`Ow0Mo?wJa;Y|AI0cSo? z$NiJ1ifUGZ3pckMRwIH95t7&2?|clW*5U|(r{kO$*q1kM7*XeFlpb|}^B|-zZb71T z7-NAm(K&g5Y>ypV`?_Oe$%43=Td#KSwO;Ms_e$}He*M!2tyfQxe6$v09JA1zp>>z=JA&9ccIcX$q*&)~@m~uu}AkI!=z_P)YHDv@Y~=gv|CJ z7?x>yDC`xCj-d(=@AadT5(JZs&MOHnD!njQyQL}!>x%FRXHzh!6b_li(Krz@dLO}C zxhCFeJZ7VvQF?D~X}DLNQ!B6D`a+#6mXdAS-sP?LaTlf09LV+y)ZdZKaJ^J`(a%Dh zxS;TB#M>vOy&B@#gd2Oa;giz-b5Pm^WI;41i#wu%85DAbbTkT7=rk^$|kipkKQ3=yOP5t&4%NH=QCrSOFccRPX1=O`zPv-M_nAP=ozTPV^-Rw0AEN zOUAt<3SJ`74b}4M5aA6AY2_p1?qYZ2cFHUSRaK*&48G=vSoO+-%E(`gi@tIngk_8vpxoj zG@(3pPt!;E8Q~iQC(;(gT%AEHI7wopYJ^B;G&)9y=EE_Xh6TpBnqbgUv(b$_7%zII zRX6Mypf@2B(uLp1nsc!;XUl!B{&J(>iP;aC2GCaE$&3-#GV4pUl8s;rV_4cx3R{|U zVN(E?X`Y}0uua-fCWlmOrY3huIy**sh3dgj2@!>q@gU;Rb7xh9Tt1n2^Z7J;*6DmQ z@$#F2;qzMartDSuP!`;>_h8dAuM9l|YYZrtB+QQ1H2Gx}-EOh8k<{q%PK{clu)>^P zhQ>Tt7-S{oP&W`{nn%n*oIg{BK^8*>9*q*vV`-qF^%&Jg z^90^0btn~09UGzJturmx2#6b3#Q?~pyn-T4J|Xic}O#=Zwv7j71KoLYDfgq~DvboU(`0hTU}VlME9X)Ydp1UC92Y^`X`w#`?8 zU0fWpw~~E^RIy(c-wbV7SDsS&=mh!q{i6LTz(1xE8Uez1TKGY0ob>yM6P3AoZ!;+u zlPnrAz)B)QByw|sZKyIAw^j#}K3!mCdrksp=kl5bCi~@CviX)4G=;b4Sv9KZ7vgKW z=Ca63vQLt7@ z`#8|YJ5i!eFKQhjR}G$DScO~N@`dn8<+3Ulr>>-Q&ZyB9NXBm7?>1jj$SR}vjdD=qs&@#0F2n47R-GrqPVqDoi_p0qEdRdUi4{Z;);C3O9OoZ^od@+g`J9LTwa{bEp+(w9xP^LhfZkW29Vv;_PtUtM(*Sk z7}G**Vg;l1AbXAj@W?c05IM+bT;|VG(?~vti^fbj(P`y2J0FnN5K8Tl z_gYY^QeUGCYP}Y95vaas0g`iO6Q#=%j87dKaXTO#VC*Fb5)Vhhul_hwIs6}ay z7?@`83l&{0hE?c+B?e-ryUjNz?s?kuzf8Q>-{$mJ;uYrbn#YV&jlu^uAjpvYB%hfT4FybX**VjbcW znM+pYyrZDO7hSKmbT`&p#D>0QzJ|5@X8)}Z#&qxWC>!-ZyNhHE)efcOS_LKD%Sp1wC&YmKnga{rG5cEX{R3`#T%?hiSFI4aYJRrUNe> zLe#N*Ww67ZIW1CWsSK)1tX%qQyaMc0uvC9^qzDd^Ued5qDPKbk&*DnKnbQJ` zs836iCM=qQQaM`*8m14F3_OU6bmY9j8beQQi}MR}fPZ|YG;(UZSl}f59O3CO8fsy= z+*fH0uNr-aU|Bs{1=dKR^yKK41W|qhrJy!n87OrT_0FSA>%vmJrI?ZP37+z#mrEle ze;(*mQ9-{fSc=r1x?jMU6Iu%5vaebTx!1yJF_bGmiQ(|at*WX^ic_CSc8SWLzgrRe z@grCaXfj*YO`=^zMoxl1Hahbv)J75H1pOcrU zJ}Sk+1r3n^UmD_s)Ve2VVQavOb4<7pO~fz>f1(Riu@K`dIUWMRM1T$8wFt@8G`j>( zlSwBIXIb?F;xHf(d8(;T%O*h~QZaI8P#>`p2(2{$9+=xzMm{xa5y7y78d5U6B1o8} zWsM{+1QeYhIi3vrLcs1I8-zp(cnBp0OotNZ2-ksKnErhxI4(Xh(V4S zXfzO)5BVEiL?cm9X1Rv>Xl_oIW5<%ARwQ3@jj{7#UYg|uLZ@96ssNrsbm^)WIQ&$~ z9k3z-&>BLYdC;f~!-2kr209ZrYXN4*0B)TjYxuNFAmk1$#I~4~j$55lFIlxO)IVO`-54med!y)F)W?g-q~Apk$Jbw49Ob zfoCK;+{r(x!kZ-I*w^%cHlxy2CN|A zvm8|ftI;7G1vxI>CiCT`CM!PLBv(#y8a})ZK>$w(2-(6V(5P<@3XNknk?M?b$ zM+ppa_-t$vfMIc&fD62AGrvM;KiD}S7Z9s1f?G=x@RJ|}L8IXFk{%V4OH&ZKFTiX& ze}|T&UEofA>q_%hvz2}nJR^Cxmf{PF@FEj|ycs@mFQ}m+@>BalfHE@22*pP}HRB61 z#5clR+{3+-9mNonypen&gR+{?WJhw}h?f#l!&9(>lmbZ*ipl3NCn)RS(gtkU2&(}n zy~PNqH-bNSBWTeXTy=}lJORhtgj6T?7%{jLC;;Dp|Brd&GeiYEYh$@pW84AIE0Csw zt2pelHiOGzn83lN9apI@6tqGUfY%`70&x$#f;k2YE<~)U;bk#tio5bhJ1oOQ7dA zF0u8B_f1fUQ@q%v$%vB~lZq4&M=s(SbCg_|t1uWLPsXW!!D$k;BM*D=1x`3i;V|Le z#Bw$cR#zxY>2!=0HvE}>ah*nZ5204OV`8OLuCk(#tK41-WhjK;XQQ+o}MHcSZ8IQ zLqOHbOie`ur^P6id0iU&6P;3TV>3K6D9~CGCp>w1kyIJp-8ISz|o9Y&SguL zP0DH+1=1%23NIhr^8fxXG`4r|mFTkBbct*_pn&FGU8Dx{VJ+rP+&*q^nuI8p>t&J*_z&fw7>n?1nztrtH| zM`;2kSTaF(y}q+| z@Cuazed)72FH(ac)kMfM7TIiH#}_&V=4m>5Ps~9Yst>)D$SW?BE%L~SPjfUwPO0#U zt9T7EF>Q7w2go%*s$<2wLn7>ZG&djZC{@h8%dj)U?5(0CMaoTfb@f+%mT^UwVdrgP zRow>#%;OJC0RvI3iGAK2h8EyR^3zENO5Ld=+Ry!?OZ~NV0aRYKu;9=L@k5;o2N`mE z+^=&B@2;#$U9~i=X1}MY2bd8b_KrKXF${MAUBJTJX$cY3)fPpJMkz8URm86LSJRo)a zWY}D7+`Tny7$W%*TNj~JyFAn49G-zs8k?;_y-p2#uv^4dOH(f;)*loj> zTv;n`g}(6?;czddv_#vG;-9%vh-sT{Gh{1$0Bh;w5D& zUyF7vK+J{|A&w*nnG`+Lp>?=+Gx8XnF(RHBL=L)@b~V2U1#$rF z+itOiVi=y(y*AM?LIx1r%)x1&Gz4pyOfe>s3(A0~2C+N~lnh^=T(^Nb+BGBAjzSPG zuC}j5NHu^Fi8J`8)mJc%!4#_={6hIdN!)Rzqp4fwh_h4uY?tym&T(;qU6K*YN?@l3 z{t;9^2Rdr)BLgUT!~jBuAS&&VRg4~hxB~czmOC!iBMS-A**irUuvl0-vVnjamwcAG z0GJ==O5lzH$^mx^y$U_1U0FBF2&t^nE6xi1A_N@Vj+n*AEOJIBdp^Xqj?j#MX{m4A zA$Ph`_6o78Ok|J)g%}wr(k5&q9JJ;O+ZC2wOQ6!fRn7&~NnZ!jvidon4I^x^ALMKx zfrJuc09OjY9rBWQ4RX^IszC~x4o)|dACC3vds71K6Bbg3klW^NzX+kZXqM15F>Uff zl|aZ$;<`u=ef>InGQKDy%a8{hDH$@HEV?d|n!cQZ3S@5h!FRTRMkQ zb&%^Xfzj4&m`gS+u&2Do-zk(Z`|zc$Xx5rU*iUt{?nVtK6>XSPXf79PuP}F&+cGTH z=Z#BS45E1dm2N7%DE0c=LsBS8q?4vwDRklq%CV;tV%*FK<%U*wE|B;C&)&D~wsmD& zz6Z!ZY$(C8-7qQ1mM?J-R4KNT7-c7drJU*m$1o|1l312Vf)wqjQU>awKcXMHU-|?3 zBl=V7OL~kk=eq0*DO#24ycDeTxm?_NmB%G7uG@ z5H~#E1;ZH&N+BJ4W_eitHZ;iVr}D5bCw6FtA2ftXkHi|2Q(IUQ}jHpcVMlqa3*Uk9dMnu(xe zeb9#!=BHJIi>)wm!z~TaG{$?~P?fVPqtP730LBu%EDt@nKT}xIssRH z;4S0L;qe)v)ZkhKsf24u89XX-$p}Z4>{7MGpk$q`(O&qLVA}ep!(0LXFWle^J06}` z9RQZF=Z$6;O5L6KwD9SHrWPW;LbLWej^f1NtpqhMN>n~c%n7^iuBONyh+yHm`EsP z4>s!bOj&XPRdy&u@uCcOevJzuLBQ#*f-Ews`V?3C018}@EqKL9HLoZ_0F?QH=1-yD zegFRS8vX0)E2uOY=dM*inj2Oo#7zDNZZJn)v`gUp#oDqea*Wn&m_6%i9Io(Qn6YRG zl)--YlVf`_1RcnV7mYA`2qle8c{pD$2Dh6c zOjH0I*hh?DKXxeL8u)xH;`9<*#>LgG?JayU{@02ureJtJ!g7>$QTE~T9OmYHrk6>d zz;JYa(uL*8mU6?fvZbb7!NxO$nj)xi+Ux1xNj$9AixY*M6>}&gN!(L{CI(eRoPt@mDi-s8>Rzy?o8zjf$7;`kFh3_Y}io|emWk39Jp1!!owE4 zM4Z*g=7XIIK`H%WNWKpKGi}@aDec!CNt)!#!BPx%j@W+APzQoUqJSj(RVXUkQ*^Gg zk32abnl;BtWMY?s4wr%se`rC6hepBh??e#y&Lx2%3KHo=1j>U)$p5;Xe{TF{iPZlR z7TN`zZ-F-ACCH!|Zy6kBrl&A5_uywQB`IN1yj3`MX>$ATzF(cm}2Ntt{h`xwvAv_Yk2E!Y> zvjOzALFcM^2ha5}odzXn1TPGfz-Z!}S?1Lc&XABzQJY&PeNuWcFCB#Zo+Cm-qtY~8 zSX?*9;a}_|vg3o}cUiv{IH#AQS1x<}Hp_gcv{~i|kL2cei`Hg|y5+nsx58YR`>U7x zyWhL7U3!^?4?d|(;rny4!(P%f%EsDa5W9G+G^PgEQMSbLC9n}e@cPc(_SzbMwSMas z3Yx%}u~AEhygOsY5Syq(?Px7vBWr0R;t#%Iw!)!(nJ(;}kSb@D^4Mq7WSo<4h&)xkl8FVXZ#~IZ5xdhqOww zmHf0XO^C4WO3D+mU}T7zErlmQtfxOYfN1tX5hTfwF*qM0xZXx4;E30CJ0(nE?tg~e+mmxfv{${IBQxpPxo8Z-gJgVjf)opfi=|A1A96gI^`M*AmH2EJOY z`}YkrE6+!6`l;lOb?0mh{yTWWPHt$QQlj|-UIkGU6#oXcqKwC|ci0`WE@sq2hj=7G zg`f_96~J~Iik1g6NO)c{1pZDL0>SVC2j|WOQUYG06ED$;?~G22hT~DN-WvnxHL;?% z2%wk1bs0WvIWK{cM%xuVB#vk|c;M=&A+o$y+rHU|F2ajZSYj0fErTTmv{=}GrOV}9 zVXmg@0VEfn?sD7un}mIZs8@QO*o&zO3pUCnB;5x7oy z$c8|w3iXZ|OlEjiC^5JuqX`LQ@E#T*;#FfKJs^t#+F>lNz){s8R%GG{3{EIOL|B)2 zMlm_qX~&Eqd<;?gk;I>lC8f&r*a&=d+8?r};uWgzH_BVrzhV)(Z46w&)fZ398{DK>)?NLJuJlkGd1G1U5e|!bWL;Z2tIP zigSmXSsaV*Wk6l@OfrFPL4k}HM`ul^KTh*uV|zm%*JdgRmb)zDTLia@B1!nHO6^=I zKICi+35etpr6MQMSwqtigE2ZLt}qs(1%Eex0;V&&Z;o(h1_fP+qvSjbEP`2^7LY~+ zXy^jJu#PXx*p2zX#R(J#iZeT$)x(OB)91RXZ z%}XQDILcIO3+jhH6aN;^fSNBj%-Y2hROwS!%0!;f$RHjNDrEZ5azb-JW^oMOM^Khe zkBul6V!+^NggAg6h_45+KYtT{CSPbSMxx+~YK%a8fiO_^yhPPVOEZhiu5~nIbpU=PRBCvxRrvC( zeQ1?~Xw=_9GQ)#j8gmXdcpXis!=!nC06N(fHNHcQ&1+zKU`bA-jaz&tVl=+IB!Ih7 z62P_R5asO8+0UQD7#Zby5m-~^0mPNER7n^e1$^aNbOWxVMU)m?jv&df2l6_jZ-axd zPo;CbxyQ8tK}sO5)*7RX~jZAC8NK%WXD{6g~)Py&C{Bo zQk1)7$xlfgeDU~Wuw$O5Ae0deH|7n+_|70mc~^uo)FF~^;2Q%vcg{-i&CmDZ00(nsisCNiYY=-!gKif5I0;`isTMf5pA3`@2L{J1#`U{Dd zG)LafAKmH~TmPghvdwcBcv4Yz*aO9tQ^VG<)UUC7L=H5hlZgn-T<@ArL7;Io7V!Gh zngT9$=YDZrUMS1!BwaE@$L;Wy-=2KwE&??{_T=-=!s*b69l+iRFfuCxzEUp!vFd4sll&fI_L z1izoeG3LhSpM6?hDqD0xnd9mf_I}gGmA73W5q_D298~0y?xVUlT@qV<1UTJ?*%BM= ziy9YwHDS~upS&;ttzA&)p$yje`g2$W53GiAiw8!oz}s|Oga^f11S%g@TLm^T7F)!d za-|AoE08w`?wK{^I>Y9nuwr=1oB??n%`U(Z1-U|%=E7Ep+Q;!3^nDOhRw7?45YSIb z{;pF~&4%u1^5>X1QQ3u41sW%wqR-H*3G90WRSmD40C51b$~YI3BMm|Meov}R%uB=u z@xv{(6C5`;gdT;@rrjYA(K$3?+hC}WwVN)Z_!Gchpo~hC_>t?}g%3$jTCP6@0gW>Z z6pVv<@e6|3>^{qHS+c4m2;}tOa9*9iu^cSO=^UFGG!iPc>^pVLUImLG!X3aW7eDOm zY;9Y#z48uj%B6V3*D3pDbuX|i#sDb7r$$f9I1SLLiWr;T8cn#)T3i2j@Ak&V%??XX zI_}Sa_3lS#L}U=626U|+#-)Kopoq%J%?8ttUVmU*OE5)CJ(k85)yzuy*=?L+nChSv zl_?rzCiz6>=DZeqIg5@4U6@bQ!gdi33C@Mr|+b0H13`peskqF)ZKuT zv8~F5(XQ6Yp5c|+SUW_n_a~c^0|}5$+qt~X^x1!V{^qwozxi$Dm*L8r-!QCiOfv{5 zACYS&`Wf{R$89N*qcB0Hh2!VEsqF!DRQT35m`aFk;y)EG3IAB!fV+(ih&x02gtc{SQ%Q{OVPzZ6e2FqUP0tHONoN!UyH{v*8r(Pnsf})Jp-nFMb@=r({xo&1>G*fl=hh;Bm8x5sm7#pZ zxz|F)vgAFut7cYN1c*1roj$C=h2dUcPPsLevvJuRj%OF=N+ZusXYG$*gKdK*{s<+= z5~wdept-{MNG=H3-Gz}IjXRrcx#pu1iB@e;F_~d8{cVcyvIHNa9OSc-9OUx_dXUdn zN`t-f92VU?qh|ix<@OTf@SeZm-?tS`huBaZi;Ec*Cvl z)!na}Fx~sLV%|!YdhG_Sn41@>i+$^Dbg|cNmd&V(l?wMHS$PhSIKxw9sIbNBZ{4}H z;({IhUahzrXR4LAjM1cT+e<_2i+jyHJI)h1c~qj&lH)n=p{=ls1zJ-xSNDY8CL z65n~eUG)0UBNx1+0ST@U+NWfrWFen=-c3=43=7)Lu;d! zuT5@*NSo3ntRS5Xg(6bDv4x3jpZ8PFIXF5cXFX0)mFJpOCD6z4;L&h@gluegf`VW? zeA$T6sHbqn`57u3WvxAaQ#ORk!5aoiR9(hSwMuP?(Mvt4W)bLx)XHSBTYOkLB%e)s6)@b59Y$w}+Tf6QQPStN+AI;al}iO&mx zenTEZG+PWr&na&}VXIvj^h!fWvW#I=)r{%Q^r+%P)(q~s@J&xnASa4E3{ZoQPO!m2 zmx}T+B=XA2K)YfeljFSX3y;@od6W0%9CS zMpj`gppYv6GJ=pQ%oxX|T4Dj9%aZ|)9}DWB?qRY|7P9KdrGbFF5_?yeOp6M6A|XOS zYd4p|9g@G17dyc#s+F#4cGu!QfLT{v@9{C z;D2ZR#vLWZ)&=_5K>*MAKRHu+6rSy|sx1r|hdnNX>uF7A2@h2qd6o;cYoZzRgsR0# ziFZ}*c~9LhQu(V>ly!v&`d)u`c5r}c&w?pbdw+}mG033-qvB3dd8@@E2UsMo^k1rl2T%?0RGD$ob0Y6(5u!V6Af!syJ@ zR%GeUZei;0J~PiAwa|va-p1~51bFojL?rl@UE~@Wia=aE{_JyOsf=0xHbBY0@7MyP zF&a(GW3a+1!J_s`@O)Qdph(%lWS6;_xC4%VE-Xynfol0RBLc3?>!nh9EqwOZmTNa> zgj@qe$3c+~b4DM7St81tdDbI`Z|kQA-+X!1jo|lVj;=j#V{_?p0m%k^bLE=7`RUFF zcy*=6pP@CH7W@Y{DKmA|qA!Z?u-px4;K3#jVQ#G5#NQ^ngFWEU)wh%BVX???|MEBV z>>I-VkIXr}x4IfP#(Vth)15b~Vbg8B6tJ&=Vj8I&YIK{@1?ME;#L)X4-oK~`Q1k+2nclCFnQ!%kFxTk(7 zRyOl0jeEtneQdas;>*zPl_GX0%58_Uu~YjaCDC8_Eekqq6NRc)u`Rs`6wmksna%*5 zp+dm@$3JiHJbe0M^TCrxKjs~XY*F`kP_#}yaCbB`$a-d;Q&-w1jl>YF^7&rLlm%ls z+N_8rfRJK1S!-UNJUr5+rP0U#(NqV}14Hbc~n{A+|Seebst=<4%fDe%Ju%o%Pn^yBn9`(F+fc zHbvai9Kn1zKAyqOJgv?WOh!PHPNz}^i>>*o z_~=*gJmo!lysJ5m=L%!+t@>6AgF51vny% zD(lFbQ1lGNL-Eqt&wPpj|3*ORf019 zAf5#n57hfbpMwt3**%14Yv=x^6&9kUn55@m#4E~X$-n;jzgAy$Cor21s+bkMsEt4T z>!1Joyy@M7`CS3xR(^YSr7iQ+GQ__qU3KO8n-#O@At}o73Sd6|8`Y5gEi5M)@E^;D zUc$I)^(y{K@g-VYpziX_u5Gdu*FOIYMYW^i%Re>!btOKt0SmVp$82TE5laqFj$VAv zgO$CMp?AkT8-lbEMA_)wG>uGpa%~6}cGp?sFwdM*e}{Qmf;pZ!^oDBeEXF@#8|W-I z;I+pkELS~!FNvZ17IrBfD2|BZU{f3BW0WkX^5eV3-S(|g`LV4~^7=tv90ADu^i#~K znb^<$aTQjVAmkLUl1fxzO72rA67ppSlCClPZh2+0f}V{igFdbkC;1jm!g33yuI z;6$|2S^3hhc~skxg%fRmc2wX%706}$okImT zPt(%Tq7Tk$wQqwe=)uG7`%fQj?L7MF$9s82ggn!@>61ulw~x~@i$L%o2&MLHy5q9h zXU>KgYRTPTi9?4$t2gClr75CL^gwbrdoaNQ!+IRfJPZrh3)T~h3g!;a1rJTVU|c-n zH=R#>LmYb>_>m;ywG!92uR)SV<7)Q5E&V%LkY%p$^ZP397A=p*y#XN0&Gk!1<^4G- z4ag8<+*WKD_}ww|Rka1Q+z_-AcJ&Nb#|saptB4EDP;XlISk~J&+BeQt1P&&wF}Y!P z0(&V%@0D(0=-lHaMo*@M%V=2jnVxc=HUt{^C=|7YQED`4H`lP!p31oAGEeq%?bNWx za5I|!lu~`Rgm18M9Dus6i=Z*vfK6NpgS5XQiVhLt(FD$pwpJvpbPyo1wT&Q%Dy1Ts z2H}p(D#7+;k_%yBY+&V2!0+v*-5Cg0NR90}DBAdIUuDrqxk6=fS9U2KI`4E*wmd_8 zk|Pj1L1y}30(@|H0-9~#yq{lv`)$ZK?J$(Fr42&~>2nGoi(YLS+ z;F*VImoD#ocLYEG1Z)dFMU^BUA)A)`DNnCrwr(q3Yyq5n2yFPxqwR=u;{o1Qf zzq?=DT)(|>&1xJB$Fxb#9NLiN3A(OIQcjrARhWrPPlV-<3~)|3guQJCUYmk6r%3CH zIogt^O*g(i9Kf!^>R}y&v3tf@N!!$R>ohuuYMgLnjm26$blvmK3>oBv-Q2f0UgbRs zOEsXuI<{~$6R~i($JtC&A{Uw2Fu3XUyr%0z%)J*9PN3Tcaj62*MDls!GIW;BwkO>& zQ{bG+aoyH?qa;?Aa~0+!dFcd5`!V}3Tgzu0Uq-?-kNkX?yr1Gpci26UpU}j9es@Xs zbGQ>R0A)cX9zapA!9;$=H)6{q(S?J{YZ_Np>F_Exv9t;X<&I~^jL%s;b(TaI=a|ht z%gm<(li|Q*Pc(XIAD!~t{iW_6Vwe)!!;XTnkjWyeqvUIqd9iX|EBB<-(>BBP2#bMM z-(bQdLcm}v)`bDl148zBc@d}nMFv{vEP@n1n-`PN7Cd&$4!tgE%hIh8Y(1-DN&Xnjp?*7W1%{-0%9s_Iid`h_+9`NgHbQ;PV z{v5BzFD<7AhO=WJ9BHGCP(mdupRcMp2U)77EW(N7SWrLiyycsw#(bb;p9*MzpRfK{FhO5esFFuO%T-KMAB z!*>do{o&lL6jdcwu+#Xh<~cn*8}8*uBeRX(wiNG|&p#`ILL^79p&Tz=QcBu1HJX9- zrJ9o`BD^T@;#aGSg5i z#HUK&mtY%@cyUG-VT#PkkT0^`5;N)B6lHt_Yw+Sfq7fH#rog42P_!$zVFNuu$ZGdg zB^ymP<}ya6?7(CK5|jZrU+<9SnwwWOOZAUoW_s1hAHlLLo!K;w>t^L*yHa7W+?=e< zFq)K~hD}*(8VCSrrG4^tWv$^K)wXPG&D-0T^{wb_ZA{KrvoPnElFr-rn(0w6Q==EP zz~l@$uJ;oIyEKE6JrIqD7YH=A5NV9RnEoNmgT}-BOgXw1@UcL;qT+&CWhCork)p)` zB4(Eljz*}V59mv!r}-eRv~(Br(qm+N^lfs|s$fu`~|qbEq0nBI;NK3#dIs zo(XkrEWzy2ltCtrg3-7%GI>I)gSJgbcLq^C%9fN0}(j2KBmUm;zDyuX1IG-T`r zmUOTIRGve^3vUO|csMl$HYSBqGx04ma8LxGuf*oUpvPX~14g6b2=PJyBb22)>{5}g z*3E_=Bi2{ng1*6bgZdR6`k+5V$!cq~-y+(ZDQ>G?Z5KZfQ$42&*5KesM_FUa(?sz# zW7090fy=+CmUq5=Fh3*}Q(>;8jWkhpg&EX!``; zv2_GJCC&|0o!abR0rEuHbd;);RvZwILveBtUo!0h$_7k^<@z!_`!UnpPE`TGMp&#o zT3{(#y0cqZieXKEinhs_JvaX#KD*PK!rc{My9#jUfI2V5o%_Y_LfknGl;q3$)cQ+R zy%_@cPI0S}agLJR0kA~vqo9P8B%{i(fbe&Re*tNlkri5SLfBjta=1RIt7SJMGB=P4 z*jeBB>MLV0y#OR;2$4)z!@vFz8aWq6KXnG^Fe|kh&yJ2(Z>?{v*CHaq9iAx+L&_?h zel48oP$fA*CDjO#?554>WHRel52gPMHP-$Z;(_=W9P%&%obTIIwp7;eB2yPcR0 zWZlTDW0)O3AsN93Mh?YP2#Nx6Eca}^!Cb&)FUpZV>7vuJR+gPrr=(Wi z)?EECyqloq{MSGKXS=!gk=lv2j+z&wg$k(hl-V)4gv{owecpUxaRsKT56-^6{0i93 zddvKcBSHx@5#h6x=svlVb>T9=AuZdP(@DZOj?eOn?p zp>_L_Zif;Dk=-mqp-ZQ^6Q=HYfB)sT#Fb~Po1J|h13v{2@wm?&d-C#sm zz+SN<6~YX=wZ755Q>sq+8M_b7+;|HKwPDqG`AMdBs8>85;lqfswCz{l)%RAFyT)L> zY*yMM0?kZsG#)sZ9=orVu-2ensy~!PydklkRpOjfx**`;#$Hw~YL}}0;wqFlk4#xexLAO1c9IW!ERXW&=E$HxlaWZl;(@wvRp+URAmP$! zK-N(Ax^wnWF##E+QuRY+*rEC)C#mupZamrir{;THHwb|!!-s(v0Co?;Ty)Ubqa@D6 zhHG63o`clhaTgMTso)*ow5NEPnB*u%+hl#Bksg&|zhncH9zK!e6Q00=qQznUG{C*S3|#(LvGN?xHS=b7D?CiTh5 zcnU(hj}Si0E!sx2bP44m#<{dPm@SIKyVcU~u(y`XQ!8y|25qr{>fxef+GNKkCKGab ztff?Ji$|X;8}jTIhW}Rm8rj&v2|kXsc25mKC`^U-30JTGP9Ml6P^?hi06S)f27P?cT@}KN<7A0sbHQeMthUpTsXbK9v?-W~T+pA4Y6U{G)JQ0|4iJ5|8@zIQ z3(YHy$h`swsCiaPd>+e0S|~-gtt0EQ>@n$kc_2c=E6nwLpwZ#=huEB-!I>J;>keOB zK`StqVYvzT%Eo0APF~*%eNRi12{g~(hT}5{vH;yPXSX~=%8A9cAlMIEa9UhdmwCI9 z^tT_4HFeH!Y5eskxR&E$*ZZ%o>8ntfnt7aw;>e~p-;sXj+|x)thUcZfm1Pt}OzHv44eZyp*y0B(SoWG1EHg zo?`JOJFA+0@cmE}8u?YneeOEkkGzmQCulL=44l5(-TnT-3|uQnd+d>xb3`SZ%&H5- z0_3$16jnK5&soj0!Gs?RhL5~?$Rg6lic;Nds1gRjh%+j#tJ7;KTdWj|v0flA;kdl< z5jqf*(7!^&o3z})g{u!PRds^yL2Zohz*%hHZ5(4&xyNzNX}iL3htx8&DVB?kRv_b% z*ueI>lbX8tF_O3aU~sM!m88mhg*9 z{;l`Nzs25f4@QmhxHp#&R>MxLvGRn6oJ{`CgVL=Kqm8(gWt~kRd4YD3;#kDKa_=k~ zXElE(^Qy|`CG)h{4W`+)97VLa7cvkM^gJ2<&dg}yN{EXc;M}sa*s3&3&|xe(ZMUXK zVS4w$@IJp&7UKDtV@4ZF!S>AY4Ormh0GF}H$+dYKKPf?ugX>YTjKz=$VS7bLfO*M1 zBXm@ipvmn_SZ%rQBS#&S!PvM2`2juk^=L1L4=ddv%m7*4Wc<3TY2M93f~eq>=1y=- zPl$Sl5GCYD1R>w2!W#L5CFVJqkq7~UeAqu4CvRPV7dYgZC$7+qz(Z`h$na;{)*|x9+2Be;RXJz{2S2^ zh+_Xgm~rh`^UYllpvjD7M;)x8+9 z0MUS8ixHVyA|~*-1wQF&>|->+R4cCD-@H}}8E~F^^T_5vwG0D}%dI2rQUIIfsh}Qw z5=?p;N^~-w!O@*yBNVGRobl?UFE6I&S3m#k?IW&lb<$$IQhQ1#Yzs51h4!%EMVP<- zq;?7~V7_~|O(h?3Qm$qjN=~oclyzgYQ87UlhRFYo8P87XWU@d^)4>!2GHE1}j+o{_ zwzkcMar$|)phN1hRF`rDA783LK9k z18r(}e+&?i@?$|-^z9$o6fyXux9v;k>HRrR%*0MXlQ%sS@f@h;Zm+K0T3ugr4;T}Y zhiazMgU!5|xwwBc?VmE|b;5eTRn(Qd#9^J?$+PQVhEPdUI`HP1ik>YGowa)1^I+3H zNw9MFvn4WZXJ* zr_e-M&JU3q+2R1yT4oQHrWlrE-GHC;_mQL+4S$qX8z_6L$&PnO>RtMeuy`s73d5YA z!+(5luAyh0&BtVNgEbmH_p*E)>qP=1alRmHi7oQd4iGP7T9+lU#Gs4Pb|1{TjQP&M zxN_-`#%Ss9%psMj)IsuNfrD8Cf@0t5N+c)AO5;c=7?nkmgL%l{(pHm&Dd*QNejX!` zZtity2Kp+?3n;B9ETSO;tvZt+t}lWu(0iVKmLo^}pUsXlvV%x7%?BZTXh*aR6rjXx z`A{&tN~x?Zx~z4NwR$(}s`8Lp*)Ihj0M<2g2bW&yA0yE8>2Uyg6pz`lw$0A_n@eC^ zg)XxKuQM^O=7QNm623LAf>l^_yR+dQaMH~6Hrl;Q=nz_dse6usj7vD$a&WZm?Z+jY z1Zz+&xXMnyc(SQ||UlYb@jSmE6{vAl3FrW22Opd3Y(;hu~*lywwB zCssgw^gHfvE-<|=6vtL7p_msZ&DKZqo#r1q7t?)daH9B#5Yk{wE+tcP&kK=yWc)3j z&VGbiW*^}=0w+;Rt=t}M<_T;OCc`Pb5rsWsS@jrN*v#I!bsfYGXn~g_^a%_HUr^fi z_W>OzdYbUH9I*-gX-LludNc6eWI<|x4^9Xw5HBm7NwkuQc_d)~Z&-NUyUwnK=SVaj z1HftXqvM)ft((~`r2YY*zYQZ1-G};CrvR2w0wpPs%DY&I(30 z7G~&$eqtgnaK`cVo`Z%T302`BEx7~BaHd@<3|zRvz(PdFnR;g^5isN%Vh1622}G?N zySHR_3n(i$qlg5_@cT=E|BDj%KfgJqo z1U3N~Pe>G~cvUeDvEQPb!hJc=fOt!i-R!dz8KGG3VB>_ZO~5SAKPRg%Sjsb>*EB%{ z!WA^}A5bqsD^SDXg$4h}j`#*F4A?o&qfr<0{h=F?V$gy=JUKpEkfHb5vRE9z$RJE0 zBeDpv(M-@B zDEG3MAyk%V3z0zuE7FnD?BdvonmsWo9wUmm#KbpInEc9bK-Zx*t37~%{qz~6rtK?` zR0GG7RL-9L>FS@`j8%T~%}V^*m21!6{08R4?sPPK^V`ZV!xj7piQ*{=z5M57_tC(| z#x}-$2F~v_$dAJ4kA`sO;CNsM>J&5ZI%OZ7;gStC&}zPq`(}p~3aR^2XJP6p;I99) zV`l(%i84-lIJUz&>w$jLcvaYN=U#}A@aLZ)DaN6g_pOhHTayu(j;3Un6piO`AJ|5l z0NLh@l?!o4d=XVT{El|<*Dkdjs%DMObnIR(%v(+;&syyW1O`02ipVIbCugNZ0QG$AQQRV0j;$O{S_B{8cTo zNZ!7i3-zE1>cKS+o-JCaBKLI%ozjlmP{#hK%5Mgo+c@ zhq=&_S*Yw97dI%L1GtC0qQgT}HRRO56} z?8B2^G%RRb)Qj+_O_sf^&Vl9%7qQ#Qy>ratyr@{HiDM5u8p^k-D-Vc~Oy zi3AZ%4lbTYKQ$+>bD4^4T3UUr;yb`IiOC)Q1AJWOo^ur`Fk@h8*f;FM*xhK~w3t=H zYkYBLg&E~)BJ;Q1wi zVR)S38&iwU6HoQ}0Zf5ap9V2&W!1^U*RAk})CA9mxFSp|HQ_~Q8}14BU0WE+Q~6tr z!665o_l~$d0N2FsgiEH_Z5#jj1f>R~xN0@3EG}dI{O~lu~O{WO2Z@%Jg4t z{L)(c#c%n=@4?UErZ*((MrPP3v8@m$HinS-7-pO@j;8J@1=ON;j=#P5hn@za&h}_m zU%zL2TH_n){>p{F#;W8o8m$(~y{2R2!oNu!T%D?6r%W?+)vGq=>!37kmW=tqt@i`N zl64Y}M(JhW;-5d_yuBy1#1EU;WWl)7utFh4jc{&6pM>L#hwM6NxjC(O`#mTF*&%LQ zU)aY27sXUN5Uvl3KRo9mN1kon;oX?j8fEScSSb$YsXP~-m2bLpo*)A6(qpXIkfH>2 z*s#D>%=**v-pejqZ-b(mpB6ro*Ee2wqi!NS+Ijr&9*7l(hx2T~T@s@{@YaEPIU?SLro1jz+y^>aR)k z;OLpzP|z6TG6x$Y%>jQDZKU0t?W8y!?V+N&L}R!=8_JRkV#Gfq{7jj2CvLi**UzHA zvwT~>_yIH}uXzT0U*tsR73vOvrW@GMtPDBXA$?SR`y-8;GEfc4%ySBkGTW_?M@Vh? znX(Mo#zw7f=k4R=AK(Z(N7S9E*B7jIvVETaoUX=wIUEPsmNsg=TGx?#S+Ex7K*oDM zogN)^cc-i9)_!-=J2WzL054nEaa!1MS`UDj8lAELy+sn$))v`NxmkR1<0i??EwtWm z*%987`BifUvD;RC1000G@Osi6Vqc%s*enipZkQLwBS=s@@Sg!933#5&H0Bk7hx5f# ze`dv~Bk~0kXU_=NL}OJpQ^N&KbQEsCdN;=RdE*U&n!dN*a(iZm^=SCG*ub1vd8Vojd%?4X z_a__rEYf{&FKNbkE`K!U`S>h0KRqa}anj6O1D6!eH^^V0_JsSj5#=SSx<%g~I(?YC z^Ep)~g?A1_ljJ7M!f&me!kGQ-g@u#{-N`O3n;snzoA2cq$zuN0P23`S{K|8Pdqk3T z1g{q^Aygb0&k&_!mj9@=_WQ=hH05umv;BPt3lM=C($fK2#b66kx3F3SS>pQKBh?hi z1F;-LiiI$TU(p?46VfeOoAe<;kb+vZ9$+7~JRQtoa+bXbN@Hov{EZX@FlT8Z$lMSS zAaqdhKD=gtPbVN3QVcf75n>VLN06K3<;|VHe&hPBwYAuBZ1$)ws!3H!7T3yq5_yid z6Z2$>wlQ;Ed>hnX@(VHy6{8Z^SrM=39gbiS(;6&^fga-G!x8L5vz&8x!~ua| zOQb2PKlvWG{*EENiH+0OB{@}N--@d8kzAcc_ge2ON;m0?%BE+f0V+#|-OYjIq?NzD zs69cXHGQlFzxr?r6at0pkIg`yopTz-gP7q}>^QLfUjm-R9Ss{7AlFJ$l5?fEx%X-? zwS9@JoIOS#XAe>q_?L;2`iBXN#BMT}UAVjrA=mvbSkEIti$%z=iWD$wFmmEakuh$o z1RmI&)m`WWucE5t0E~VB&*i1@@VxG}Z@Q(q`f43)Ro(SfO_}z==!?g=>Nq-FLNzRMt2%4BEs2+& z!*AhEv6}5Kb9ar4+FAUQJlf`G3%2vg%xLAZQfrv5JQUfJ8X>cwz_e@gV~i0J*h&~U z4}%@sD5fj;K9jc7GaCMmJ7cJ)_UD4EKY{H>&-#wdF(E<4yB6GQFv_#8BE4CEQV$YE zR;3VaOkKm>woVmqvBEHoTAYt0XAQq#SmJv)B>gQN_W7Uax#vG`G2{=p^o}v^;iU9? z=JB-3p4bHNwnYJ@(ZC3}itn)ch`P=rA?s`HTNN5l-3_?QpoN2$f z{Of=GpAcJl2%86DQn1dHG5LLI-@XrFia-{ZA`(34&0}ksFE#ln1ugHp8EpiCn$2<-MCu=0n%|?Sc#n89OSoP1a*&24*!nbWp6wJtFO7k zo;)@K@#(jl_p7^JsmS$fkD1fTfFoMFx#nZ!+HW+}76lNnAHvB&Xhme~Q%TnIp767W zcH0nvWd2dEBSjt+3^M#+$3JolhNaNPFx2tSV8uw?My!tE!cOcCWGq2|3}f%WvY6&l zk*5+?>tqH>eV9eSYGZTu+_|%hDt6=cmUl9IN-|CGRIv=C`7G#U)jy!YOfC5SPoX%= zsPf(A(NSI(x4jy43l2_kb=qez*~;Da`n$6O#K#Kk8hr#hs+~RWsg_z6C7=KnupJSv z1Flp0OfQ{QOOeqdN?5!iP&=A#urtTta06Q5#i}bTk8rd$TyrQ%S>WjEIK+dXnEOHY%nAKgI zft8r(^NP|dmT6qU-`c0$!tqJ9V+JWde+c(1PU%PI!BAr7N>Di>>37b99y9rBVCliW1{nKRw;~fK8~3E^AFRDftiXMBJ&o zWwhKGgHakQFhj$n92OgEHz`=XJAlRp5F6;e2@I*FdhW~L(B*Hy!#O!Bf*BLH!F&Ac z)15b~VT*0OwApuG^>Gb~pbT?z9&zrdA#ysAHqO)W^M+}P!ga8MuY2mx8uQ}=zGs<7nJ4+y+Iyc{Rgo;+Y&j7EIJQKdI=4D!U)EmB{3g}}op~;|0btS_ zLU~!?An5E$X;mL!pq*#mzk2=T<=gGY-#&dF&+XB{xN|tj^7+S_po*U9TrDZ4Pfm96 zKGMToLjDFZm~`d`4>N!Biw9}Ptf1|t5T78Ug5HIOjKlKa1w`Zw&?bgflwwuKN-K~t0&_8EC>A{ZydOuJzJ z?o#NhZ~oeN#s*mxVf+hxNZ%|1x?-fuNpjg4iqBtKX4 zG4CFx9b(4=g&pDcNQzrn9U)+e+vV^^`nYYz;7kp_Tr%W!KA_1+%#U>^=-y(mS-Iws z{{qlb!a|AX46t+5SKQ;sBzdUgS_vQQ|(14c5Zolr8+ig&m330XaxeOR3c=c zJuqFAC}IhDiIAP_KH?c(vhsOXdERQko51aoR5rC8B2(5;sLFz9A}$gZ zyA6AuKyae4LDA~_CLY89)II_qTMULs^K}qD?Xlt>P8l(|ru=4SJS9B}qTPk&BrY5E zY&b?98B7bZu*TPyqLrcC1ref8c$-#A^&=+cWyC@FNaK}Fo_3ZylVvK@lz?&_VL%1G+W zJ9Q0vGR6G(SKcw`D{3UYYA;nnaGGHXyFj)Jg93uMQ>f&KrGv6>-9ySR<;JEUX{Xe6 zYg_ilU;DerV86S~dVPeHWn-9$YM>5bZb0-L5f&9IkPJLmM$E1W&Nf$u>Rkv~1-4aM zom>2=-%Ig&8lE3vlo9iez(2zM4sTs_)5`?ORbXi4!tZi7W%e0`#JgQ4&b2mChA+he z^gAWEQyHhj11N^n{Q5CFq9Eg;MJeWm!7u?8g{d=yQze)v1dE9dl&r2@sjhuwa5Z`R zmKQ`=W@p#$k0IEic@xZEGuix*KV0wi$&n>q?24QU zt4lFl(9IZV1SP_7NSx!3`mAK)FzE+3o4RXba8WTw7y? zT>J6O3bMO8FM=b%)Ih$(DD{mv2W}7diqD$vZ^1s-EdQ@84|nCv&K>c$Aa<%;Vt?+- zWw6rIuJ@W>v~PWS=XK?FsFiwN9*%fVAzJvBrC%&n#s)Rdmt}`KY#H;O%}bFX}anJdH3W{Xf^INC&LBO!p+IM z{U#qFe*hN<53>n$b~o4nlQ9YgAq9naoW$!Yor$V9A&fBw09;r{QqQFx*r8&kW$@RF zgRBZXtt2s`tCp*tRu_7J-7cKp`Eof|XC1p3@-OBSOWCKpTUN0BoSle^?c zn*3`RqeD|vfvIEiB4L!IFIar8QmHv$t>c@-V5licC;)?5dLU#I$Y~C`2i5h%;7lh|mY?OpZ$r4F0+VP_!;)WvPfx`MUXb#j_{VwO`R{@$_s^eJ&_V zUb&r`b@{a2&VZb8<@CbF`!RjYbsK%PlNqqWr(#quN<3CvL6z@C@us^W9)V(fol2$+AeAJGK(raTJuyKo z?Whk2;=-GHG%Qh{D27}_`XxEI6Lb+gKnQ7DVRsMZl&l$|Nl8j7r17-W3B!gp2TB|f zL_Gv@4k7T)934RNP>_hi-sRGBoaGfZUKX9lPMHqC!*yFcB(~1U7fpRCB20n z9fB_1>Iu~115$h{2Sp3$>2>z_PEof$bgL|JV_A-bxLq-cltXaNgI7jMGiPa;W|>0l zV|ApiT==E2-{S4PHX*R&T~PTpS+poMwn9tWS4!KJBVulLS9|PAQ59zi6AntgSb8p% zPEJtaS?3rp<2QpLig9^Pc#4+?Sqq`hjij*4HGphAe0EKO52XR*g|&eO3amQhea}!c zKkSn^!>B4ul8QX%{%J^f|9mV2%%%3G{UaP4Qkg~afuqi`XRraJ0Bk!yE&ACDu*jg= z4w#jQnr5r9mGoLUnnegJ-^1CANJ4>2%W4%o4H7C4766*S&leQ2B21wkYm{JI+k|7s zh2fC(cYjq9L2@xod>=jNV4=O2QY$+g#b&SGM+iGJDu;o-N_EJ_B^Av6ff1 zcA@s>P+7W)0-56fst=0cEP=m}|PMH;)cdB3rN|4JM$kH=alh3|{;w^IfI zxkxTfLKfW+(MK5}B9F2CUp)Koxpet9g?N)om=Qk`sTcc9$ zoa{x_NYsk9H`nwG(xSE>eN|fpkR%$p*@%JA^NbP5Q}&39;Jb3YRDHDvKT`wo9jTqd zmH-zCim@(39otFjm-6niTE*-J%EOjbhv|tB*M?P8;ZRNk$B}K&$a2?xY!q5B<=VRC zqfcPx(i4wsaPa2#4^eB2ciRylS7X0juee4tw@80_{rZJpq$QRoDxn2lxist9i6DJb1>mglKk_)L;(!catD=64GP&V{h%_k= zv|QvXKjQfqi#YGfZ&k1$u8eBQ^J6HrasJ{^@TC|#2FAxx%-USiP$|9ft)0Jo2WA1< zBCCfW!Cka0mRQ1TWSj{`9OYUjNz@-*85<`+%GiL}Cld`Bf=E~|+{B2%_>4bg`k*Yq z*m95&HCA+xT=Br+cR&BENQK}B&?`_z6)DXIUEUPDYXy>(w$y6H z%l*;lPH=i45TJgSJN$UGoRIBg38hFloMM_2|5F(HXJm zj;y5JFb}iHAcC0d1rUgw8#f3x?JC+2PyBJRVV#lEW5wvsm#yQxM)fgyIGpGg2&ue* z>W*U}&uBxD3qbk0>=~sP1FX!z^ubn0TE)XI31@ny5C5(=vghBue)2FA!DH4W$~i0% z2vB$lUxWROx2FkXlV+NH^`|%6mf_6SdvxK@cIL_nAWG#guP6nH*cJTunzQ%alX5$p z{h^Lv>w}KeJ@opsJDd5lJNM7aUk-D*rfi@#X9S!LHTWwzBDTt`f^l?Cwza>+;(S8U zd#DgtOA5q`d%Bnq30L(Q^B}r((v&uBBu!)f z5riLA3YsYc2!ko8<^f`_+m|%YO8)(XSDX_^+K~0y_?T|Du{SbUz(6DEAmHV}Ca7ZY{GdMWhhfBDS7z=_1eSI`%YK>+T{A(!X$8FNizu^ol^3V+oQ049PCN~#ZrbS zX>q2EI9|j!0Hj1rnu&fs*e1{ollKi(MoYpLSCEAo_|>Z@PA!=4`Gt-yE{anOdz3UB zz>im=?i4OG;EDug*(KK%c@k5xOJUK(chjs8t^(#aOJzMdAL9vUvs*h)zWYM3o5JF) znSVj#LlFUWQ<~H#(Y1XF9J%Pi*l-ZdvcEO%ZhRFNaw$`z)OvYvR*J&HvC8o@ zqG<|zps?$4zM0xRt_FZKbv7K@H{m+~I8^5*se+;>te6~#KE7hwX`#LBB-Qq=q} zif!b2~A6RwrBf<~JZ%DNye zSXZGHD-kLSY%Xii**YA7Re$lQvFi)o?DAkJ^m$Rni;BSA*Jb+!f|AJ;m*GE|-ix z?7Xg-(4~{k6y`2MJN~(UteUOKmBq8oV5W@VK`Am4KN=3+p)x@b4gN?0YDj-l2B-R8 zc>~S(boD(Ec|UIU07nGH5t)E#@nA;=%wKBUAf>8tH&t|oACuMN!TAzw9w-r>&*~RW zI9bJ92q5I(`1~_Y(tw>P2-=K!yrviy4i#LWz47OtWeBA7q03kPKn9q;oU}Kfz>y1c zCs;p$^DvV6M_In3ANWtaKfUbctl9YThg(sf9=-W{_T!g7e9`!_`9rG-C7~Ylsx+?j z4LTc6y-U=2cMvb>dqu@TdX)QvT+U5B&ak+U%`tOCfa8%_h3g3^FW<dY4w;I1zDe9EVg~(&6lje)!;2e#{Vs4~N|*j@^|#7`HTw5 z@uv>^&P#C=`$mN>btn#y@~X23Ck;xUsKM*?aQoxjVu(gYM-aH}w6? zxy7Zq85a0yRI7+X+vHy3>iAZ%Jl-`#Ybq>vj1r2Bp|6+WbS{SU=(@Lu25oH1dHN2?x+&IQ81WO+2tLFEOlJXaj}!c>vWUuwWgK^v>2<1(eM z{mQB3J8vCf88C|pjVdUrC-g1AEjdE*gp-PZOJ;p3g%v8Qel@2n%|}&1<}y20 z1)h)btV2l1Xw9^fs950$onu(b3V-y`XNhq!sQ3YcO_hDBfC^&L_-X8NfeOaecY_haM%T2pEkp38jSK+ zF8GR62n{SrOPHZh$PDmH5*8<8${ZHFeT9Bgs3PSllm@y)o?e}`Lo$(jc0P&v>fLEl zPb?4=pI-K&JJ3i|V(cBVj*QbI-7w#sQ%LqZ>uApRI*cHk|Xd+ua>BU3vXgWqWCW|RW-XXpQKNFDy$G_bd9mnT0v<@>(oo90(%}CSL zO7?chmoZJo!x+=x6M6W$Ou}IA7{do!J4|4ajtwhPW-1g;3%m}@w5|GFk&%Y$SP{E+ z1}38l{Ix^*=u6=siCV;{+a=GQh(@5*dSgIbC;6Tfrd!nW}FMo}YbKqM#@5ck##NFw5Hgj$u88ATw zglciLXBkDQ;*^~qs+RpTCG1b24K$8q2Vn*rai&*H_7Mj=6=dhtfSxi!{8GY>vuq<9 z>|rjT;deW0@$WnY<=-FIqybULgpuW(QW@hMSHdHn{n_U4_vc^#9@Ky`ad5cB;_*e`CMmF<=qk|2aXggCu~PxD-U zcIvYNz=}M?Iy?)q1Ud!NY6}eqL*(IwH9xY3dO5?wVysk{Ogqk~m6zn6YEl3oX zZEAW*B&E^*KxVdPcIC`O>R5>m%$ zS1wU>BkkDQByuu)mu(m)Pbbqks8kRUbGABrT$r(wCwAF@=8vVR<;mk@vQLq#UiYAi z+_5CB&wGSEX?yoUes{B0-uRq{UcU!bY2%XUTao80;adS+zp^KRcVYCmfH{9r1cCo%?8#C#Cvi{^u{uE%w^nfJ(qIiMkG~VA z!zx?3%84y@g}%`zY`v1Tm-_UK4)Z4IWbnbfy(#!z4h5KY3Yn9 zGM91?_0Oo*W?kwm4ksa5p%p-Kv0dH!h|xE)KQXp{8!$j$3b1lYQ*6o=vSU~`}{M<9nC!DRn~2Mh#I3_ zT&fYWZpl@1m3mvF-IUlo_1OGAl9_af3J8SrPK|wbCe!s~gDf$6mZj86Kp+$H!UyP<|DqKC>;Xn?@cj|v`3H#&+lieuRhm}I9)#2<~PgI_Agey5BQf2O@I zwv11%t~Bka9ucr9odpUifMo$ghoDYOk+RrgRMtr-hJH)RA^NBd0b&U#7*|z`+C@yc z0arpHvmuR`(#In~&df(jftr^2Wg@RC6_>7L8CR683!9VLPGZ^1)tEL9#tZ<_LTHF| zP-oifQ!$)`iQ&bu5G-EPkWe|YBNK=28GH=Ab84QJ_0g9N z_8^F$9db#KW>!&5mil+uY(mh8MXb>?zgP9&4mqPHeQfs=;;fA;)RE~-;11)R$<{aRTSU*@w*spBnU~tHP`|c(!>_aPKQq=^6>fYfu zG=kX(pY*@~_1`n76yXcLEzdwu7&^DZ?}ziRA$iv)7RmMg`xx&R5Uo@lpr%wq8AZu zQ;+J74lqbrk433lcIUj0a$khM-Mc5(RU>=z7j(!itKYRh-a2_kO3ut?^k*)Ax2pp~ z21)$k@Vfr6@GJ5_4Z8Vz?aSNB&tP?tJ8VlW>UDA_awb{Wl?CbvzHkDc73M({cgYzE zc|*)MWwM9;M>aw5$UF0cM`@jTQ>vL=+dfcsmIs9L2;a-_6xAmvj6oMcL%wARI|Hj! zh!})f$jAS{tC;<#;Oo|i*ZqK+aeU-vLmsPk+?yX!+zn&_CqlbeH5I4m=Q($=0xRe@ zfC_vWXiyQVo@*LA#u)-B_NQEiCFQ)^ypnLTg|E@7MZ!TC6%NOBBD}hOp?J+nM}-3;#zEB>wp=bn!}I$%}fIPe6k1 zSKjkNRTg%>SEhH}{6LECbr!?9{!6&tuRm+u2LpO*6$82!cJ}&ED9R(fY+v6gYhNno zEFlK}3WEUG*mGKf>pU7#q=-%Df#y{VS`y1a9Xl=`1^%sEsy<@J(ms1zD1{Z}Alk%@D_Mf#uGA>NXXEh_FP zF#bSF%QNB!!>b6ONA<}U-I0F(pi*aRE@{n$r-9}r^0NB(h4jrHaAz9a_}URhl#b@htn~j>p*pl za%%=6h_*^nmFy-(_>rVCCmsp>!$U_0%Enn|usa0d~pk28%dS6SQIX~Q`e7E-viI48?*AHU@saVffL-`m=1#~Yx2p#&{qd5>c1 z9C_zRc0T0Q|O1;PWJ-N6tqz*{`(EoOjqVI4#R zn*I{)_j1m4KAAE)&;|RfxDvW$@=k6W)cV$)_Mp*}qYQrTegk9Qz3OkzNj(LdeI>sH z4wJ>Ci4wWqLN3?5KYBkvOoVZd=6npjUwN%Kf4vk*V#x=mBwn~o>>U{rjCX?v9@Lu;MZsN%v_IT%d%B3s=jUy+CWV_lNG@~p0E zvF)2|U%o@1qvqiz=Y8n?=}&vMAvI;IhFw%!S$da-9^p<~)nd(Jv{c&7FH8V6^RQI( z_D4C4zkm3Os zSfcJWwi1#k|A6H7M?G%*fS!Lq`YFW5^#SCO2~yvk8QEtM)ET zWG7|CfhVDJcc%G$r}ud!V<0zK~+IvxZj`#?NNh;vq^#D321oQWFx_L8BrQ z#tsfbDvo2;qz6WHUg#GlOMB!CMXS4CVGY-}3>arlI$WHbRd%siz{&TWlkmxy!QyJk zlA!)uC2#No(o9Xp<>dgQ35r|~-yy*b;bg#y=mMi6-%q;@unPd@@9hXmciWfJsqZ zL|feUtT%!o4n=I24eO34nwzn2>hqBfBwqol^~F9s#8kK{cpub;o!oBD4=2)B`x;s$ z_wyO;{VJYJAsaX9Vhke7RqsXqDjb?C88i8@K$NLA{xdc5S5EkfGUmcu$ID~{4$EHi zb1?QpNU`Z-xox z1B{gIYqUx*J_XO56aJ*ZN&v{*FYWZNG#qPG-mJVw&J?h$x;9P|udHh4 zlH3#@$9$}PYKK5D3B)w?T-*A(6j903ozy4YWek$tUl)Im`Sl302JBDJm!-_5Bieyu zUo!_>G`Lni>dcnc%GSMQB}vn0m_j3nAqh1zK|Vy)d9k6GZTi#C>qfhdlhy2Y8k7Fv zQVYsRkU?Ze43h}NB|a&vTrsJD)4>5A@kuV(-B3i~D~{(CDNUp|cHrme71b@&;xFzB ziFpw#RF(#ZYf#Z1T zJXm|_lqm3pnk2b<&Sa#mybMlbtzGo(^6^Zr4|mKjJ>kQG#1Yln9B3a6^Apm{@j-95 z>dG_zG^X5Fb)ghsgqJi-71XMDp&DG{6c!y4oiRF2JU2;gyDZQGpfpy=i6!Z?Yvik! z-UUVuCZdoXlFyyl475!K8?J*=qcYY{*rA62fFn8U@w%7=RwE(HmE^IsOB9QP435Gv zB#l!Z0`h#E4)|}%#SI*c{}#YI4#szRZOCPT_Hrn*Aal43h$^<8TZ}mD$vGl@F{`cG zO)OAzIM{XZ3rk2f2-It9aZ5Np*r3mwyFtCvwYA z524Z-iOAp2?iQ*O{5Oo-9?%PZgVO6R=A=Yb6sEGe1V@||03)h5Z?Ng{bRQL2S_6xq ztCx#U(?5bHgeDkZCflQ9DAylZ`%xJ#yCHB5c|Wz(PfiCSI#@bMKnilrQs)`Ku`&jh zp7CpB2^Zu7$ly^)SsI-ahW{4ey2HUQ@cFPCUm@3zFQYUVTEj7Phoz_ycE{s#?qOn6 z@iyOHgt+0iBVdl`Asfp>4Bq9(JTeDpdLbbNx?e!nKP{jR3?;RvhzLU82j!J}sGyWW zS6{ZNtffXUyzKdqP+p7#j;NI;rs=DzJpx{PI0hrS!#|f%H&-ZARMRU0wl2!_Y(9qs zO#iHC_8ocf<34o}8i&30H82(8X5IqRLGWm;46wE~>e?FV8(v7DpAZguF%|{um+OEj z8JqY`8V|K*r^-ISY!UNcxZE$+J_vDrGY^6#?d*aGCmg#Fm&rO%$Kmt_!pYr-60+M) zm36gkTD)FW&z9PDX6y^zEs~B=jG6mrivOS~UB8T}mJoXf_|ao1>&zs2Q6;yyhl06& zanO$kGpVfcUk^q824l0?GWFGxDfU<1*eVeNSq{$-AchO?@Db`oru}~?i2>_(Fm~bl zSG9N8!YQ$cQ%B`@=kR1$R!`KS8(tKl#<3+_CsMnvm0D=rbYi_2d7=MlTpKnI%TUuU zkjTQQO}s{;h|FTHq^!K6Go>Q1Qh!zL2SwX%HcC?&6|ECZIo0xspvP_85$al^lbWP8 zKxT9t?YsnU0#)X%s;iyu4T)U46GJvdxvJp2&pheR`hLV*8!KZVTs5H(C)ObVCqBH_ zqbyW^+{*IpR@kHuS0eBgysim8tq^n5rj41Ds#=mfR4gFN-LZ z{L}L|HGQ#EdMcJ{rZ&qpQ;(HU(oV^UF$Ux?D(u_;c>*RS)mT zhL;U)CT$8ykTMDZejjvygT11~*>zy^XS03d!mV@Za#pW!3pW~rBLEShGO2?y9U$*; zab)AJRwF3y2h9fre6WMWOeua^!tE@HuPU*vU15tnaE5@@Fw1AJGM?5Co6Xkd{l*6V zYdw6h@nE9~)`;f&mT}75V0A7FDt|t5 z=op+s-~IW?bA9yD!MJlc$nv?+-ki^j>pHUteC5b)VEj_%952p{t8*WR-CZuv`jyGw zW%-}7YY92t!|acJ7_`&uh79!D$(C=arC{%|)YPDee<5-Jdy8QO0(rAsGiE2UvyTf# zu*MUk++P`?ZYcK=N$W_JP(C?bDU9=iywW3=br07xh#d9*Kzl$+uJ^NBbJUwJ z_75aD(VY*!V0%__W~DhiceSfgMn;IS$f}p)IY$V)@+mI<*J1u$@EAfVGVn^<~ z4ju6YR4?afF+Uvidf-Tqxq63dQs!Ya>+A`ap^$Fi`Jf*VDN_1Sqh6C*7zkVpy0{8K z$_CyyyO%jXZXXoWy}?khnmyx;NUlgkLde}0U(24ei=N4DA1eV$hsEyUK=MuK&v9_& ziq}rzYTG&JjD&bdQcxz_PV$5IF)ti3sK)z9?RNEBMDa zrN9M7Vw;C9;438{gZ;+42Q$KA-nYP)-vOIndL7VGBL0Q{k2`O(!M>#x3f9d^gx!^c zdI=rWmAdY!WmjM_t5UOAPiMCIAb+;`)d!*^Ihm`y+CQ#xgiGa|o^j7i2|_ZIx`;QF zRzX9!lZi}R${|@)NwUhahEu*IgrITp>kYzo#@-d`O?Yhk@%Kr zY~@HJIg_^n@ENj8r+#*@H|-kj>37lp&^NYzbT9x@tJ(xsdCuFO6tGMRgVzldxGHsy zLR9nuKZTw&>2IV*on89t9J7-ED9-xJ{^1x`f1o*yr$$4qPLxVR(J(h$1*!HzU}9yIP)491yC&H3>Jyj=TZP;}n8 zn?Gx9!Fu}qv*Nh!rQ;G$=49{QYoXZr9`w&Z6Ct*WiF3EZ_w-_M-h)U+xXZ~D#x4IO zfR?s}zJHKyH6A2HJIQ101%rzf9%F~8Jf=jZqvsT{&n$wxiX)x%;#qX z^Z7ii_j_Jxr3M*sYYQh`>+WhIrdm0 zlAa@QgqH$fs4Q?i(jcYzJ>q}FJUAk_Q#tK2f1F*oYh2wu@K zW-teeJL}mPyJZMJ2Xe1rIn71Fs3gcZT~H79!{I_|Er@xCh?x?KtMS%GW|>|GG0`Y2 zKH9Eu8iIL;`3Zy|YE(IG6>cWC;;z=R{(B}$NW4!YpD|?!M)DJzp$Be2`Hb%{zffkM zR%6|0*gbMb9WtgpeAKz)UOL&1qAU`25Js!+-#(HC6nxQaM#sh8pswPAb#b-=B6&mc z95Knl=4Ujbhj6~_IXlnvP~o&Y$1H{3!stgjbqXsKMj+b6nI?&JfsJLr3~QJp`4WuM zaWvE(_BIks=pSMt9P*zqc6jd*ZJp4~cLcic_zN5-Fj^*u@UTCH6R%rLLn;M~A8^d} zx$M@rJ3C)+A?dLY)-dB)#({fOSKER)ihgcmjI%kI<}j10Z*yzsr6k1I<)j`dQ1`7a z7hVdYx}K#hr>&38ZVCaHyuassRksVwbzS=&AZFd~9*naae{jVokodT4LliIE4+U#( zx9(G1?61wLC>D>~L`Vp~Jjf+X+x4#DB?b(Scd++s{af)f6KqYqgz66wKOuQJ<%=w$ zrIX6CP#AYxQ8;$kKoV_?bA!hh51RJs>1oSJR&oDaIZP*Zn1bbgTJoAI&!CVdvW(GW zF&s8q5ANPA0kyZF3|L2MS`FJA>LH{4Ft=NqfZ%-*TXW%d?4hDr#t?xd*B7L5&<3)I z`cxndh$&2`0|61ZqsLhW#c!x#P&WVmEM1FRRwx7n+^EPXPp5T_hzQVLq2AJ>2L-JI z%cdjq7lh<|wHmGvSiHu)?r;v#kjxFx8$-LrC({mc!f=4QP5oVKL-eyMVL9Y{1UW4x zbJTdEqvGstxs?sT;1t}PIjMzsz$$B)gnXlnqwbFoffJL7m%Etlan@kSbV>mWq9v2$ z?pH(A`t3`)ic3#SpE?90w8z%qzhNaRwt-+T*mbx5(G|M}yFjxgif{TB5Zhv9t;wud zwckQOl3z!NmbNWdadVprr7ARbTyDa35B=Q(7d0<<%qSC1dSYXE8YxG5`sN%4nOlx( z!^-W86eXzUu(XfoNc)w!s9*o6YhoA9p-BI0YPBO0UqhBd1T$7y3T%sTzzX}oHk+PS zk5z;UP#L{~?RsBQjQc|6DKNx~^-O2gv351xo3-$P* zI;O$)$NkB0jKJ~<#`K!X6R|?todSiuwTaBC&C|?<<8^2ZaG(XGnV=YoFazGPB3W;7 zQndEPMP_)CA3`()=UJB(v%b{dO`T8PBC93GzUu(M)4lQZvKPO8fJDx{7SIXzHt$_< zsBtYrSq|RAcl~@Y5&5H8zL*b&dG|n6RVyk&fb}aCcx?-2-r)k|BIEm)xi*(V?%~N3q*CgK|M#@GA;2nuu3-61O0EyN`8h_)70Y_PYk6lar zCoX^0Qex3NP6-LvAix0o-!3Tz5@ZMx>nT6pyy_$d%8&Z)rO|^aWgCEA#S1q(9(C1> zU{4%Kk|$X5l?H0}MrygapG%6;R!Ljv9Rsxuq$P8$E_0MV*v;IbL^cmP6q42W6$TF7 zC`*C?k99=ZM0QEkibNQ+;c!4YhlpL!vT=il+cXvgXQ#rDeAn+o4FGGX^C|QoE(C4D5Wr$6zTP(z9ndofMRQwN zJW2gX9S&krGcX~@Y9L7n(T*C%7o5wbFHwrQupm9(qPP&P_>5rJ;0tQMwX2`N7bAKE zSF6x=UDDmpKVx#Hi5KetHEw_K0E8BsT#6hJtOHCC zz$7W4GgemJniE_-{0u_wNGAwrDF!5^z zkd{8s1$Ehb#pAP(AbEUtgOS((B``5pSLwi*frBfWz}lN1-~5QM5cHJc#oZDavqz7v zxwweM7q5MRkMN6x9nEga=K+8iW!IX2e}YKsE1JlUnzx&O|KUb6`)7v#|1kS9&u_>? zOO;(S`zdQdB<^3=WLRcS1EwTm?ZV|s?hY2KN~RZ|)ey2kNRAMRlxFbdHwZ&zj~+>D zKW4wjTmQBE;pR?0r;|6r=_zYv6eNPzNP>cBk3ZBI)AETkP3n9+#of>lUfpD3MLF)# zwN++iI?D|UQo7l`Icxr%N^=iyH=F!f*kNMYN_;NwXE*-&^2v*5|EJmfUGs+@e*Tx5 zswf1}0N%A5VYIBF;4P!ecmsR>Ay-YNkAJ~R%93%xYR|cJ#|1);+kY%`S znK}~(<=ibdUvBYNwXR`77uf^^8>vMU0(H2;3j;7tiX{#ZAJpC zVP+%2%%tK}X)AVHQVb`w!V?Ltu;7E?(NM9FJ<&-7X^%182n2>^2_TTT+dGi`p3Y%) z`1atvcn{0&U-u}@9l@9wKoJnJ3NYmRUf>0%tdtJ?39(aMkp4*N5GAmfprFt37%!{O zSOo{DH|RovnmYmdXydNr&qYmM?zav@nGmF03_B(|%5FH+ zF}imsDI@QC!eAdBUWR^hJ5zUy1n$t|#d%D}nGzGcOsy!q`m?_Zj=$u5k^TF)P7^MQmiY z2;tgp(y}RFk)$GmDB$H6Y(h#b;z~G}>mUT~xMbQ^($rP#)>Sy-rI1pe3bYemY`#WD z5Mwyq?MA7(1WH}6BbPE)5gYH`}qU>8SRFbzzMcitf0e0GjRj%hS-nw_N{zlkrtd=J= zSr5@7Sn%%P=2L)}Sl7M#+5L*+ncu4D9-ey8AL5j$+m*|WOuXVeUc-4@ON63+9#4+K zS#xu9<6cRhl2>n;Sq)e%Txz`DaK*cNSBof^pL2q$y6B@>+7k+8KCcl>LsJB|na zX;mJVEOBfD8WCDv7?vOgNOz`4Gyf3Utn7 zYZmI_T^NI9PHN4Iep86o1-f4vF|1mlT7U&5EtTQ}f%sjiQ*mi|0Xp}$25KTMMOa=%JAQubu1mrEL-%B!E z1c#92Wu+4?D&UZiQgIXHtEJ;_h(0VVCL`gLIIiK@!ceQ8ub)hI1yc7`EoSNK4ggq^ zZ`z~eIekU}{kgEGUT!KGws%YqjH#e#Kx)h}-DUM>Ot}GBwnkuO35?3jBwcFCg1WfY z3TlmfTnKs5zj<>_zbU$=*M4O51QD^D4YQTCBKs*^rkfO)Xv1m#{Ig>HVL+@2{d^vc zx-te@sy=3DV$fyfkbHO6glUh0KCeh-#Q4qma3&fSbvp5`e|+|bWAnz(W}BDWEICJL z4e1_dKP?axMs)MAxw+B0*W9?LTWuAWZ!))XuEO^KrWIbeih92XuB5X&Ac+c7JhZZQo^FREGirQ0 zJ;9w4HT+N!t_5FL%BiH#iyriz!~&88AKgN^HK%bP)3ZsFqg)b5^b%c#c>l@}aOI;dA+WhY<^8 z9`-7B3xfy>dj`4}NMj2xShnb;>V?dGme40#sJem zKg&Eyo@CZqd++mc@2wI=OR^Ii=#K5;z2~0KefG!NYtM06;fBuKm=%&^)h7|o5hWFB ze*(0Mnx$~?qOj>Z=%pXbJ}-$yw@%dpR5#6nN-S;V?#oZfLalX;g zmDxJpJF9zuq?b;mY8UVk-KoH_FyKSCY)z@=IeOLdRZ3W)QYo#`)HFegijKceP0ZM_ zlPU%muVp^{s*Al#UF^*vk0yomQiZ5}K$?me)b4kp3cL@vFLR!LVam;$gi9Bxwy7aM zUXxkog!nZoQBkq1y3Vh!U4MrJVg0jS=gpN!KM8Ko@C7#m4my7NU>ZjzP9m(~8@U=_Hc6MvZcOc)Nl(g+DJo`&{F2c5t7Q7at6d@Q&@ z$Vl3?wnfS_nj`#|+4)h|%p46J43G?IJiW7Z`-?mL-|fw(|8e*67f(0uY(HJUdh6*Q zx9&gP{$lg$^&7Cj^OKLx_*~KA))$-jzpHCcAAWi7Ki99VU0>cHz7`+8c59>ixz)`z zM$*|}HHJ4o(VPwUtNXD{L5}Q*B8g93MkIhazQQ~rk^Sun_C)|Ia~OAR<(xQ3-(Vt> zdxmhz#^9Pcg*rati5_$siuHTHz!x;#XpaR*qfUwvg>%Oo(TNN{AKDRNlbEjLJL>no z+~51{Z~8b@q)kQ&I;;@>_kBqZ{@a$))p?PMoQdDVJ6EbV6!5bL<0F>Kl7Ml>#SHN$ zZ)L=m{45t!3Q{mjk56Of2g6YbiDU`K^jYpr5iKK-&Tv(YF&3G9fWIhtf-Qm52}$Vg z@O*yDq zBnKh#@fBw=&uDchCwkIpo{3I!JvgFzx4fp@y)@jjc@vE z-}o!v^z9w|cf9n2hdi6(zNm^F&c!0p&{6_^-#bKhdC4Bgctd1wL#z-Ll8|UWa+TUT z$kKRhwd=$#RPYp8ytx&^?ND(F=2!|Tqh(>>0tr_O1c|siA`CO>eX$AE=)2RbGx z_Yg2yKn{>LR$v30^=FCN15$*~AEoEHb30*ys4_tR*3q0)TmWg;(C|QpQ}Lh^43c(w zaB{#A^=>gqkgq|S#D}cZ=@`lMNP_VU^ZS3;H2TsW_}t#~3XKF)Q}EiL=Lm8p7qO6R z5W|;&H_UNy#bE=2-9W^XPDWX?QPG)0;9YXE^^escz%5|C-?^;n%$!8hgQ7Tp9NMFn;*?KQj_RpX$DM@}unbErRrg+QXA*eN~P zaf*F^h&uo(2|lZ=<~`9eOVzP#%frdMMgQ31r+YXfMs(7$CB-cSgFuYRu0N2d+4Cwr zzks_hN`>tKx74a&Da$6bx=!IFCNx+%i5=r-4Ee zf;MOKLA=|3yJ;!=<=Gci1{}`FU&FkHnT)h7>9>)#+GTC2KY9^5hi+nPY=?5riblMK znbn_rF^VH1CGZJ|FWI04#@qN$L0<>a14Tm6Lv_V^L2)Yh5#!4pgm2|K#HZ=ymNgic z7kf%_Jm!(8>wcSo0*~=-TNBnt)N>;0fbFnkXfW){kaU=wI%DpiE8*AV6x( zkN(K7ab1wp$}1tA=U1`*XkTg%XXM88IRY322?f z&0n<8d&2GdZD-YwY`Z0K+LCE;0!?O#X-L{E`3N~ujFHm9(4)`6rU;unI!g&gJrBtX zA}hE|SSmiH;z{WgfphP3&|{!6NQKzAOn1WUA}=XrSg94qBb!y`XBC2=$cn*fHTaTs z59hUG?zA$JazJ}|3cPjGmd9I`#Ii(p2w1SjW1Un!!UX$VU{;C*u$hK7X z1{^D{iSRQ0 z-0tiTHqzF;yZr2{DUfgV+RNgwt_mcV{bQwt?imcWBqF{ksz@N`a5CvVaT*&asJ4!} znBLwCyfLiJ+@X5ZpYM*w<^%S785lv_%TM!PRmN`Bm0a%_KOFD-LasmhZm;9^ZT#LZ z8a>=Al>-zX|m+nK}5TK_IxrcTR;fWxu6jc|kJZR29lgy|j zgf0`vFl6iE#D<2_ab@lhX34@-?3q%>?bRfEAlJmlo6_C7KXw*B-s724?(@i&&xBpC z-JeQMp!U7Uk#b*yT@89`!Q03%bK`90N#*sdnJQEkimF=%S|F=6^ zk3SuF6~D!kkG~zf{vLUZP8>9LPv??TX zvNHh4KY{(09a;|3H}|93fa8u{E_bpe|I{Pf#agPgE3{Xjx=hUiFkE_vHqvx#sF=E}HMd?>{XgeE~{!)`XY*zg~$EQ-7aj(`;SsRR~+ zLABiLXicfm9!3kxQF4=>suE2`bIiI2E5#?WHNZ}*jV6{RjfcFwhxoUaIpYqRI)B|< zOn}cPQ>eNBn&yN#r+PaGR={-L;Vof-m7UjQ(8Ir{9kOF%f{a&T($;2b`FTvXa1YqN zNOw*BHFSFE$6%;7zENgWYKZ}jqXsE*YS>L>#XW*V-`hyfAuEF{7s}zlhQooO zfoT3s)(H?N8n?6v+NvhJrL{<>ffadNX!+f7rbDS5Ubk8Z{> z-X&4WqYi(cyN;7H4?p8F;HFB0z3}mcD3QUF%G63mypAUaFjc8hd}UMt@j~MBB>Nsj zxM#-X3?A6c43?`XpYX3D$jE{er9t)>vLUx*UVC&)mLjDx(`T5>l&6V4s)`xEabfv5 z@wu%>x8YNT@^IM0-N4M!qK2MXzals8Own@H1y>PfOuBM$-6YSqFNo`j^s3mF_X>^t zh>xrCcj0$P)Z|csuvTRrB%KSD)?6p%Uy-xPiP*xbA(`K!Q{XVu`j>3yYixgmdUK%Dppn~-b zvim!m5kQY1vk`4U@vhYMA1-~AVYVLeFD439WK-uKE3{;!$<+VvZFbo11$8zEKFRyC?Nu|wg*~DP&xI2nz-(&8^uCrbrQTp@i(*TD5DGa zndD=-nnB-1Qyl^eWlcE31>`zQ;Z>1dEQYa=wrPw(AJmQ;;_htKsqHXWy#5I3M!Srb z0#a2xX)ePYtDx!~o-EW%IXOUJk+N~73hfAib1I!bAk4>X4ipswHTj%^G+6{WTG^Oz zaJWGN=_}e+oU;QuKKK@suf($C;>D3NCCzP;wLB8M=Um$(HW+zNoRP{yL$j*tYTwtB689jftXxF%Q0E0yj1V~tE>Fz&ilevugL#*j zU7dUkTWQI5C^lq)bC+1s=K#-0gjHEp==5`{SLtDu zYoV!wL`h!IQ2edKHj{Mtv{}O-UJLi9tzG!cR?e|1tfVJFs}Ub<_f(uzAkplq;dn=g zlPU(Tz%-*E)G|r-*9zS9?5*aP6gh!{7`&W@01#5dluJJXVUNqIxYGL*X|q&tkgDZ# zQFmHomaAyKctr1W%%)?rBFjWIEVc94?}+q9vIAAX2ro4^Oq8Zhktr!w$;O6a?(qkU z+0zqxg0p-Aw+`-;EEajW;0iMed8-+)VjsG-?;191Zg@3=@&HsH7T67#CRH)<8W}Op zq~b2|I7UV8+hENiR1Sub0WK?4XkF{%HW|2tU5Glc+})_ep%#*sYgI>a+(q@mN#3{) zPvNOd4zJfL2CgQza1=AK@{jO3F6-LO-ujKfCzZ3)nSXuCqJK;KMxRygU+&bI+ z-W4I7=v6UxJkK)P_W7{=2vG>>lFXDnB-a)2@ zIlTyyiZbj?(=)>((rZi_Qn2mI1CwN3H*U=vOqj~g|XMPkZ`R9lem890RtsN5Ks9b zG{FYbq^UJb$r+<~j1=h!;5iSVdoCxr@4XJ()$?!GD5n17_3P`8F}PeERgaU1xa?cep^l1AS} z3?4Z1z>76qxp&xqkF#`#YCfS9!9zH|O6N1JV0y&EW<tuItIyBbvDa_Y&z0Wi@?cd#fBQN-_4v!MavG}3oh2Ta;Bsr=dOP_>YfgUvBm z#fLX5^q;5h`lN)48yzPCr&Jz-7jEzle=*pYaXT}mp}&P!hnO2>0y5-c2rZC&3{YwG zk@SC#_)Q4rOk~Opr??WPd=Q@4BZ=way3D9#=F{z-8D`LmL3tFF#}LMo?GrsaZJhn9 zm^FCNSi#?6z0vkpSI znfdSuc?C{mIKP0%D4P+^C@?64blXrW?SIL)1Isy#neFd)-Uwz4S1=oV_Apv7X`ILm96I8tmTeWw* z_GtMhZ~v5TGUEVr#g1;bnO6R!W{Mey$=M0Em0S^hF*yuT!xtf2=peiMNc3EHG8<7w z+*;8cj0t?I6Q(2JM%hRvMajhusi=w3UJ&g+P-da<<~S2UHbSSi0=4#||C`p+WD(ij!eR4*y^>cGZ6% z+(W!9rOxg;{&SwXt~NgV(C(e>I)_9~F&x_mwBHQyBl3UzE4}SAU)(R@Kup;WC+Pj{ z4K(d%!06@b?(YNOzYHOyyE$pL!1QJ7z4f3WxMhH3|L(97j$>pwf&O8rL7Wz%Zffj} zAw0xci|KC0BerTmPhjfhSVd9=u6H-CR6o0-#fqJVQ#~QB=YU7Ags6CX%&&c8NLg-( zDnpu6Qq+M>rS^{Uzd8p0Zj0Uoe5ria;bCaNjCiLV5Q4c%iVMs=@M`UCe zf#`U=y2+E-=s}z=zoF{%d3UMZR_wIgtkauL^Qqf_zQ-d>{YY&Di4sG{;+s)R%_MU<1}LR&Qeq@_O`F;%0Wn!P-*hyYSnmh zptomrm_qAxs0s?09c2P8a0Cx-uKo3NXG69yNaaRlYnE4`aROCw|h12tPI87%M1*&+myq*UN9;6w# z#T>wpr6>}Fao_>fh+MX3}8uXo*on{VD$!LD-gaVybQssmj2Z|1l-pu zz}Qt6>D#YRCX9fW@qqg;sAZ13wE#I#d6t|N!kqHLimeKk&4!WO(_Or|2C~-G3O?rFn#B}S#4PbVq3{YG zTN$YTn}FN6D1STyjYF^lDz@MF&k8PK=6kVNxU2;GG)`cvVbjIHx&y{%*!Xe zEXeeL#*DP`Zu&lkWBP~2@4(HHkHUdGSnp?s8_DoI&LFqIz;jmT=VPx?Pd33>*0)%B z?%19u#Cvle(HMUHQtW`2d7Lj6eO(f*LNFpD32x*)zu|6`q>O0fK>W6tc7hNXS+K+? zri8d26Y-M)jL5XyIbL2FLNLzoWdAt$t3gQPtC#+t(=ikHK8d)7f8<4hOrrg!y}fPk z2KNidC6{bSX+FR%=tkIUtDUerYO^CwxDv`$k7m5W^+A&>HTIoV)#XiSKpAXuq;_39b`3ze_l@4SooVwQS)I zKIT<@Pw$r`vVRjripx*id6A3mAywg3>oM;J_=GVG$QZm3w014b5zG?|gD~QvP+4dq zlnZ~NP`M>YZA*b)Dt<->iN?9b1jy$!{;eqiW8T7LSh<@|VKR;TL&0{{RISVNYaha> z=9PHkQ!Nw=*Lkud0Cr5H4qOU7SiIoy(M=j1;~rM*h<)vaVaa9HPZ`ya5=1{*Ir8yF z0&t-`KW=V06K;~KyRUT07OfeoGUq-?3R<9~Ib~$Cnl2sRFh>QJLW`Xj*r!1PyG?de zCddgOmEOjkCB54^8d{^ATb28v5BE5&=i=;vN|u5LtsnpOAF4kI0{a9j*pk{ODfhXD8yZ+dDv(lL#H7QvXV-xmPG-uf+?w6aAVMt zcP0s7#GMi``7<+}kVG6n-{b@~YKW5$IA z5LFz^yq;X5sxACZn*Eo2eoVO6*g`JgtHHZQb^cBoU-fgM5JD)|v$x~AJ=_+BB)fx_ z^$_EdV4*y9qw3~{p!owgN2nVdiG`FaFzlxgOK+1?(I)bfI;n9&3{{8U$p5vrJGC+b zJ-|(52f};^hOu+XrrPBSg>^Xq_n3@UkY&>I7rdy-dB57^E29lHQ(8yGFo(k5!6;0~ z{#F7Nk+l;i>mmjZcodR>Fs#i@0*b-P952!=)#{}Md4^b{-f_i))~AMX2YeF6Gm-z$ z#Ki>XGVfQxl)UBD_)s^9EegLXuqf2iw@6ff>c7VO&&?n9@eBO;8Z7<(wEe;ia!$Y> z#i%U3y!L&ok0iXJ7@gw4WIeS8mE4t|?=*H;Tcxd(CT?sx*(n5`*k9`*NE1DeKAh0n zQLkC|Q5YsjCe7V-sI8*lQ5U48Y7vKjss7i~H&JlR`);l-19sjQ;6{N_uq0n^U=A-Zmc#ygHDicc zQV#?rX}ZbT4mG59n3IwI9}y~Sn8%pH#FkcLTvecM{F&0W!WX6gpt z+r0HTHU>cO$4={ogkbqJbM@%>dJBQS2#YJm(}0Hg~!tYz?I$Yi}xDap}zZN8z#ms-9$f6I?LwO8;8X7wcGPfY{y zSrzzT`XAmIEXYdei315%6}PQm26%-|P;klDgKN0(^)E*Q0~fW80TchLjC)*7 zDWqpY+!fqoj|QO$15@y9Elu#2H3E&-L3H=tr!F3ofz!(Ct{Z;j|so4RMC3+~CsdUTIS zJ4Zdk=Zd}gT)9bu*PF1@4*I+&69t%wo|%T&=2*CH_wxGC^<5zOv0 z@0~3is9?%TJc5uK0I^bPkTM2%lm9+Pi*Mp!tuco9vWi*CS9K=PC7ukwx`@dUrO#-B zXq*qZi6tpyiHRqrUHTfqD^*MG81l2>Qqk_2 z?WG4eFr$r?O}l8KuHP9m!oG{Fn-D9q$rdcZ2GY6Q$>WC3E5r?L=6obQ_{8UG4b>wS(Qz9yIZ}asxustaR6^%z?FbJiKii*=IKg+U=h?N4E zxqhMgH!H#n=s%;Zgt196^uTc2n;Es!p43mboi*?;^ThAOZ~K=3#1Wp5 z|F5r8RFn~c@2AMEHyXmBz@-*ApUkiN!*8jce^WB81z0Ze6RM0Ef~~?{TcK~>NZpF9P)EhfBY)X-))&{np%N0YpdHx^Cl?gH#shHaE zY_kI_afu~Ig$I+OkDbQBPDM!5?5NXeL5-3^PUDW^%i!#59#Z5G=OD@qD+76=u5|?+ zLwJ)`nl5`My4aKdSbkKL)V2!oY_m$t*D2&SRZL4Z`}k6>!YsNmj=B=pwNW$CN-Y(K zV78f17VY}=^?%v_W>bM+ivIj%%Hb?USTta3EQ6g>*pc&LCb5?1~v%*jDyDk+y+s)U@0p^Bc9m z06(Wp6~C^41Fwiu8HiDlx=vn!^)dJE879r`=nvxM_uh&ILt{XVq;dAQ@n?=yTZ~YQ z%mS~W#W{>54Ksq{fOx!$86v-S!diyeJ$lY333yw<{yccxSF&V8fjl5^$KgZ zSxW_^A0lq55r6aU8S$0~EGSQ4_jxaSJJ7z8;3_*Sgj^+vSXX81u^t>p^%><_P3>B2 z%b#grPn@D%7nVX&{K5C+HIWmfdv4;2vfF6BX=g?q;Z0!c^Y^=p&5zjqO*%ar;_6G~ z9}=KkVHkHGLzjLqmu3N;V?^y%u&9I@a<~&KzN`V{{5#R0oei4{I+Ypb3hti7xxy6@ znpqoN6D5l-fe|M$W5}6y*L55WxS4mnL@KQtgdMmFT}$=d?v^2UwO4D11L&=d2&Tj8 z1nh?|u6z{-=YeuXx8b)+ck?D=r!!oeUbRIUMtPFW z!_E)cVvURi6`*=OSIT1ovl}yyvWC4qtY#7{Yt9mq?|HqxJ$1isR71^7!8M4=0?TH$H}yH0|AcvluE|BU5WkB_Ak@o4)UUBY#ne9oei7QNqSW=LYGT*~FOo7)tt^R(c1rmUP1 zoZxgX)cFWaKQyq}sJU?aukL3=N1`5=Lx5M0#TSCy5G(B~y7>(BoU#5% z>Gv(l+Q?v4MOKg1{h<>(sZ*dS>EfO=?gylPT#S(awehTCFHcZj*ykmL_c=}&uA9ud zqbPt4izl7bJcBVYr`G|pk@b#j137J14Q=Tb8~3d_-(4-4Z3`V;`UJ5w1;=``PM52S54>wv{y04F-1 zgO1P&bMC5&W(j}t4%wX^0CPtJfof>I6d1a!(*a(jwtBv|K^W-Qut)WahLS=GoPNm` zBwCT>$xIP|)^(9E3yQ^zZp!+Zz5ph^Qf#6OjA;UqAF29YETh2-I< ziJxaub1w(;i|Bkfh<|)EWF z7e@h}N_Dp#W?5I(RV_vKnneX;WEd^x7je$#d*AJ`7x+0T9vB<4 zUk$Hsj0t=-3Nq(^5erX zS$9R`Ui|?-d}o^M91QJTx^;KEuMsF#o3>nerh=4_sWtM6&%%no90);+)8-i6(yrgn zz(p7CWpKrZms)hk;U16CoRL2F_29-Kc%CAdHH)syZGV})pL7yQqGN%i89F`adA`K? z_P*Sa_TTcW=``Kt#N3~sPR{)(J9&Q{a9Lfv2xPgASm?-aEc``c0K_4BXK0`%swzHS@1MMAk0tpW z&zv{|X({09imi~W)$tk0h3v*D*nN2^=uS@tRMlR65wLZ5UqVtlYD2r)vf>t)F^~2U z7Ntzqy}O2%%=4!CnbRm3=FFQ;=;ruofY4e8u1p@Qn>r{qL~d2W61c|n;S1G9Ssf8s zmhBkw0Sn<%&J<`td}aJe;U;nqx?W$k*^bm^gWG)y6vuG7&R2P7y?g~qI^Gn%Z03}b z5Yip~gwvSZNxKMsGX#|4d(BkZpQ8l-ORkgbtbv|bEG=CgK$O2#qXhF{v~K%I(N8?g-NYvgwmL8f zyN>VN$K<%Pk`-2=HDKcp=3MqZ?})3UH!3Aj&H4w0QAq5=gAAu$AB?cay;L+#qxZF7 z*ocW^iq3|Sl$Z&(fYd~$H5F5bpagp*5~psitb>F;nKLqUe^XVfR1wp}4H_L%;~n z=gF|8Po;ZyC|G5Q$97Mx1;^I0-2=L^ka?;`X`s4-v(p0tV)p^t8F=|BHy}Y}+p;~| zEqqC1sS-sf5i}bPAdra?y%OIUmk)1gxIz6o*m&J>p?}`^hd*~Tc)yv`&rr7b%ULGt zhh<_qwV^>QQ^*5p#REilr;rJ4n8vl$u&3p%r;&^Xb-g8lv&!=Nb(wUir2%v2`e`&F z4YFSid95U9WKfCc2ejIi1s-HyNaTUVo1oXKAOHa)pKra}|8xoa+x>VU{q+tKhH-{_dBj;bJ<YMrWXKh2D6J3Ha@i2YsdF4@%-1s{IXjO)Xi;CeEk8H$Gt&{G z)tT@h;S`$b9=uwnIYNppY*x8&x#$SSWf&w%k)==y#+#RfO}f_DMDn76&35N@Ci;F> zc8y1R+Bt&C9so-=70Jv7Qit#cE1i6q2}9_}0zhS!uE!B86=OL}k{N5qzqrL~GO(eL zfr})$-i4u&L7|shPR6TJ)2n-_|1@vn*{NpAt5Hkp1TZHIVh^;=pKI+Mig8JV3Gvp! zx3~jt4w4LdQn8mK5XpAm(eVhmf}~VZ2GJg-oKJ2@Zfb4t;<{N`yN_vTso|X8_`5UH z=Bt#B;uUJ$9-8C_LwhURUr6rRcP-oSJq*ctwoLBIcxFR z+lz-GJDc5W-~4fBPR7o@E*E?le#y~&XB&L#GHQs_4!V}`c8a@^R9QJjqg}~Q3yf43 zOld(d2xsDvo}{D4vtCU3i^>Wp_!Dh{7KdZ=LZ9hy6SagJj2pO9k!Ev(sA1w;zw>&b}N5bnT zi7pwyzto1-Tg-1iLRKjMw9oq2`x$?9sdn(B4Ix-#ywFCLUGF)=>1yrow(fP1@+t<= zAeY&Zu@u~(;sQ&d%^(0TZLREh-ZlVa zbJsFSph|32Zkbj`#@~Qvj@qkC^emiZnt`oM#>pob3xHQrnP~?hNd+i}P~m{Xm^bB> zx!K)piHF;HC}o$np8J2k^l>wWuO0#f#({IL0mo?QLFg&fx zj{Vu<8{GW|43{CVFU(JmK+AP8>u8_nv5z8XayjCS!}0lQ=QcQ%Mo6~%^^QYz_jEF+ zFH&-OQX}uOMR%eFr~glhyQq}tDi)o=&Ai>KnlU}LJP0)IMemvImMw*G=m_)Xpa>ye zVvicH)yEk*6St@Jy-FLDv2SfKTz)*o+b`986u#P7U&hrC9;ZfkyT|QGiyHg^xNO3o&2!X>BKeiA z735hQ`t{#uhpyL>U5qK)-#LkB`>sWn)s(>N&d72=6D7}(W#~n7H>XSX3?7Y47D-3^Q~PJRC8i;4)vvhBvWgMG3)bMwn2iuyRhQyr!lbkJWTQCy!s#b6_ALt zdFcx0K>?$`ULBg`(|Afg%sI!Y8@?7g*s!)zMP6dMhfQRZMzBa2P@fr`Za$h8xYQX{ z+M|TLE}O#VSp?2}w59VOhnSUykUC`BImfXIq64_(^2#+o*2KE%O}$ooM&u?-ZMpX z%`S0L{CYx;S98sIVfh|+Q)dO#^7_~31uS3!%o%&cL$`Vgzc(!EY&GfS9*P@e@kU;O z;f%9^81uefI8FuC3%v0!e4~E&Lf;CW`GT^6INwa-pEOgr%|ks;0=}TX6L|@soOTF; z-H$w0%{dMkj)pxy{0`y6bqaBAiI0 zoIze5rginVfIPW?0NnpxAU5Ski^ywx*h+e&PZ#kK-(gw437;l*r3{hEu?P(9aXDg! zHb8`g%!k(V>}}YjB3JI{8YeKv!6k9P=i>m1bzcppvH?*TXh_gCySgtb-p;Pe6E7eN zRJh}GdgY7yA7`(S11R^UUCOa={;z!5Z-Iz)Ob3jJv?8kN>H~@7gOsEg_SCJekl~Jv zdGI!fZqd)HtDmywppDe6oZM31WZO@^+&@euK8oK{Ei?Wdoo>Fis@ZO?dF66#Ff$B_ z3~o{DQ!+apScRhA2`qDchGDg=MVo(DG;G8vcz8MM;|Q%Aw66i1$IhXvV2oX`5|kNB%A*HNMhGQ5T!l!d zk&!6vanR+u?<}Fgo-gz8ciVj1Wzy?x*JD$A`{aTJc;;YNa_wmbPqFv<5wZAx3W@H@ zWJl9;(zL~DC5L{ft7!jO)%)!-#hYhZ00&oE`hMi^n`d9$8XFjj|I0^Kg0^Bu6b8W7 z30&fT;A%a_b5z$NNKL?6GM0^seiDIf?8*x4P^)?AD@zip_tOgKmq zoH%)PZnA4L&$h~eb4hoz<^F0Q1Q(|$V@zaKgwJN!r3i+4!LV)&OQWj*`Gz`&il z>#&Rw-PAuMVk;=8q}I|D=*)z%X!yYcdbmT<)&ZJBJ&%J-iRO1>p)G~-iKu!8g@QaX zA5IF8GzmxYtW3vcmimvSVLEQsP_?8$_Lm#mgn_LHtuL5{=g7`=h;B^{d6EIegv%UF2*nch=LD zJiq+2$+2fqP|xb-T;>f=A-@&|x&1;~)7@1mD>sZm&Y@ikx1!ics2R?ACkpbSN9CFzHi3!^%MoM7qh`i^D#D1!I8CJ8u-`PNP>tv<%is>jaM34aB$zl%Y z84uvdoZl;K0zKRYs`Yrmur({M0oGLRe;&{p-Rvo)SXT>;+|g&=?E(GSRUO~F#tdbW zC-yg-Hvy^*Fo$qjXClfHTG;?wsNGz)gW6&h6g8lLMY68jhLRgR0u|Q0nR}BNC0US= z2uO=kJM-?{tTHV}^k~2pSh-e-)u<{i_+Y1e`%4ptJ~bWm>nny8eQet6haXBi`yWgU z#b8ZWX}>eU^?DL|O(<_AXiGH*T49v{RGlzaf^(WK%y%x+;wAhp4V{CZ-9~`~Jdzn+ z!BgQNmmPmXupCTG#Px<(rNQ9FBJnPj(A)_t*$=365%h@2r+Au>x>ASkFy9?BnU&DV zolZ@Umqii0c{kgze%YVDn+q*5Tc|gVZ%9>L9f;Gt=*WPPnIv-LWa6rjz&Q7w?gcKD^%mNlJOq?W8 znQCrjdYq~~*b59%sRf2)sav@3U|I6>wSN>+odJrdtA-m+H)WKVh}JnJp|q-j1J4h= zt=|%EGu^w4wBZy(KMLG+n4Mkf{C8y*E#b_h+8mnz+Y4LyV-%E&|4Ib}Lr4zf&W@6l zIP^w;fFqU*{<~J*>e!KOJGHIh28eb*~M%8W1QVwl_eYTrSq z|DGF{0en=-R0C1OjZJwngAN>>F9O|ke}DAGK>UHy2_xE?pD^>1{Ie--IaPILxB1fBv zZ)8aWA+~Z+s0Nojsl*9V z?P7fyh1o;&hr{wQ9;;6V5BaGc3ytcehoab_ya&~YW7jPUBr?vZFUtsDBTt>p1UP`C zY&#gN$QzJzzJ52lvi`Bh(R%0`{0;#+C&Kv)G=QpD#=fm>7GOWd~Wwr$%S|6AusVNp$W?bMs z8Cya#Bvu0#Re>mt9oi2rfVE*5dC;J%QoV)s2|gb2bCZnH58pSJ%%Dvb{p%&*PefhM zVL*^PFU8K4N7f3%vIwR}KWTCkt{PIIB{GExPa!Ie?^2~!0T-lj=$=P`aF+RHj~53U z_X93Z(*Ux4aT>xWL4B%y+%9iZB-(4Be*_p7D@a8gfmf>Juzg`Y&G=RCNGDnHXK{?1 zE8$I6|2OSx=mD4@W}HD_Pg&VB9>WaS<54B%8SoFvVUyP?->=Xz6E+k~)UWAWoe*LJ zS|J(8IG%lutD+SVWPQ|Bg(7PUJFLY}NOHOxuNXx_BGQ}prg@UEYHS_O`1}ZIIkO^qb#vr19&xJXvh(LqdgBo1xSVRE0=? zjOrBBY7}L8`^t6Qg6h$Tb%8H{ywZ&F^)CAFAzQ%7B`jE3^rV_D(=lI%u?Ikcfm}6* zY~1?YiaDZ}$<0y-R`vzOaK{QtaD3ngAsfQUh!{fgAAZueH{FKmJ#Z`iIs1vPSTERe zQ0k`w{F4O_qV!^_s@O3e+m5=TPdt_+&dX5&_);82(7^gbR!sm#A0iU>-x%w-f$2b~ zM@w(N-;2ID7%@GIq(dX_LMV3^-xLUx76v?)P_>vFsFpFmfq5 zf4+Cf!DNTo0U;QteyBnA)&fD{|wd&GDzy38OX>M=#~ctnlnI)ZDwJV z7}Cjf9s{q6+78uy{n@>gBy1!UB|=dQ%h7Y*YLPDuk$9LP(xs~8Lb9{Ab&SprX*~cS zH*8UNlr!MJI39ap`BmMQB`Ml@xYDkkPBtBZkxE zU`>xhZ#36z&K~|6y&(Tihs-6*cVfeZg`t)gcVxWuAEs~=nKtqSUBlL1m)Pvj7QS7* zps6KAagN5YW_o;*JkD>tkml`H1A>|JA z9XVh))fvQLQjy|fSxBz;-0n^%6+u86$sn(UV$cw@R0`GJHRZ_JXd*>vE?58FPpQ=K zzhnG~f!GDZ!g2~$=1+GiaU96b&c)G)D!1v%6_}Ca3|IH$MdBH5Ut#dcM2U^WHkc%$ ze*;>TwxFQxESAD*i`YL336?{o^r{221FA=g|KbdXkwo#PK5QL%Co^x-Lmd;TqvjlA zbN8r+JP~&ajEMw;lMAQe3qF3oR(`DM^=gV$+HZD%A(i~ceuJ3s3tce>QV8kQAYS&p zhE#aaf4-3ipudF2TG#3b`{5y3)-hrTPoJxJeqWwo(`U@yy@;$@o`@~mRiDaDHiw3= zRsR-=Nqp^i7e}u~r9yHmWrE~2mU$to-$y(U3zjpXC4p1rQ;<6cqh_n-bE4o>BP){) z7^p2;KAp#nv;+iXoCm3&)PuDMSt06axMYtLU0XBVK)ekVS5=8z;z_Ve`hq}ZYtfw% z;?PUQEha?LWLGn{A62Rm&W;+XLH;rv+P?os(@N64R%^j+3CvtYkSfuCLpzZtf5!!; zvTy8+_zCws#@&)1;|-ko5$a>a+)mibZy#h$KqH*QZNN;>d0?0U?S-tIf1w z-qL)Fd$wQZ9h?>4L_$SmY_b=@6TC$fi;fHlst6q2`u@lnK|P*We~9$LNCi_c5l*k% zvm#q!9YeG!t335Mhp1j%e~$HaWc3PV-V_QR(CO;p%c099gV)ps_6dH-={~%OfV@x)Z^go-|=36_N3%z+>q?%Xa<*4Jttns>4x3* z0cN}aN2~~JB(!eg=tG+Wyu8vz#17V0dd2)LvV zoU({26;@7;-YW&0l|5zVXcH5gjN(YI#rZ>OC(oap|GLgz42o6=M#*B|1Hy~pgU5#y z;caYsR8nYG00sl78-t|rI~U65NY{2aKpn^PM0|yyES5km>rGoMz`KU#6v6MUv5|pq1uXJ7e?+7&g;paRaQ34FDyHVmd ztV@_QNBmt z-)%N>_JhswLw?H;p-L|+Iv0Abk1m#^Wb-D;^-znBGYfLBAZ;& zfO(bPTlB}UWR<;_&}(FBS>{u)CRHhtVh5JnD7OuVN=pP?tEQLPT^jSe;%r|!6>1g6 z2|h2XW=7g*>Rsn6ZH^+MJ#fM4C7RU@4~@CGz{vm_@G)cM0(Lmx(Px+uw>uKJk`U(4 zl%+b+Kd3wXR-vVBC;^{s$PWF5mI6^prUs4tl$YT1*9>6FADqfj@^@yA6d`C|<6dI- z>s7E}e@l9u2VLQnzBk)n(zpOa@4%2@)NM8=(9h%OQhJq~1aE5xZLu=;kVj=Y)x@el zq6sa}q|@~ZtuDr!v>NOQ-nj{Sc$t7bq1_&odnnb8!VpHu07Bv<_OF*-P^+>&EFzjg zr(U0QT8;+_6vl2!L!)f2r8#RGg&in2%Sb+BC71!jVd5j{HS7d0jK;o5TY48f3(__5 zU9s&ae(SIV+@Am%p`hX=zKN|!4UjXtWuLu+HcX(XcPJP3gwlm;;|^-LER^sFktKQ2 zTKz@`!tDM}rmVlWOg}N{<@X`&>4pWK>8CO*SgVnIeXucB-U(;(H#Plf2WnfC--DV` zy%yt%p76`mAga&AI%L5-Qpv?J$<*0a(QzoLv4+G0i5*lEo57o746DdURo)R=gJn7W zdNf)q68?ju+-+CEG%z~ap$TZuFBMDClBf_%#C(!|nOQtKCKe9SIB1TwDI_~ZAZbq2{-;~<$wpy5 zy%0u@r7XcO^_d?Maa!v2xH+G9Z?b5VfB&p}+SN39)<$v^5(D#q_ zDx#QlWy_W>EbDEy2-MJe(tK<4M2X)fS$i{N;}9<7bz&VXKws>(@LPQOz%T10Py$e++sa=Z2He|8s8MBUu5!LeAfTuKZ~!C#03ZVNjui8Eg8%@D|Lwy4 zx8h;L;OydQW9m%rVQaIkK4rJXiMoT4;g8s^{#1Xo8CF6ZM<*NDnr#xWv50JnQYaZ% z#Nq_;{i=6iI3bl&WjBxhJn9n>e#-ALj?-Q3WX6lAsWc#Rq_Z(j$csdEyoLDfjFHV^ zk^=pR$}%7o0be3|Th#Xtw3M6Csf$Du3otN+c%4Fxo~BC9lXUnXjT-VF&B!DU&Eq3mHNoOlhi>nNm4KkV+3na4r zf4Cy2(j`{fEql56&&z}*u^1JzD_DElIP-s)6PMG~?Lnz{(D8I4u3pnFidOXpVbZyz zqri*1LdtPa_0q%$K6RppfC{&PgS_ZpkH6)FgV*Yc3V!VPjKN3{nu-aK~+8q$|N`|H?N0hG)hLzh~D&6j=o2@7Vy_i=VPIFtXLPHG?u!8Up`h z2T}$cDT_W}n#H#Ix>FKfbLJ$Ea%X&;tZ7Fg#9hYgD?p1Y;|*WWFq+VqUyoVCHF4#h z8C$|pUJ}L?x|_8om@Wq-vjQCuezPuHS{4 z+_7Es4$2vN2~4sB*g)~k_;%eyB`(P(Pj$H8q3FN;qWY^|FE}WBgVYI5`y~fY7X|x> zw@Cfz<@`;t0~orJU6VR~=8CqDE$Qe8$w5ZA7pjXNFhBV4ivDzx8-b){^O;6Hm^VW+ zE>)=uXcL&1US?}y#CHWimXQv5m)*oA6J2Z(NJ+nXe%F$xekcrHLj1(`ln{OR_xSMW z*BGzmY)oaI%SG7FejiUh^<*Dgq0QN@^}aJ#iPIxA+&#DsA;wybISFU zO?<+LIS*3a7R|r=aYEmO-@u4lC|^iw_|oC|g8l!}d@!Pu4)v>eqFC(l*3Vb%^=%t1`1PZT!0DjaaJ-0Ya%(C57ve^7x@5sPtD zg`rrGuDAbM_r3+Rz``B{vTS6DA*HF8Qq)zzfI=#H%#{ljgtEqop4@1jY`m5B8UppN ziJ!7UH3I;U>E%)?ovSMZV$}#TwfD^j-&0dUI&3&zFN;D8p%esl&0(oekn@X>DWit+$jO=Ame(S>nG4$P zWlPHPD2uCQ$9hhAK2E~3@#E)$&6km09v5dDljEa@t;?&zij9sDk%mQ*&0fFu_Re#J z6?^O5yu`#{$G@Cz&RefKI|mDd6`MrJ5Vw zpPw9WuAWMjNX|=n9iEvVi(L0dMyjRm7%kDJdcv-L{jh#>^HOtdv~%)mdHMUM+9`f& zWE1S{gmrm&zmt}Bp@cbd*Xz9U;@81=_vps*m2&0H`D!5dpuS`3g5{h?o!7-Gx6$>< z_5NtwtNqs2&cL`u;U|%X9Tna1zr;EH=CU|Qq#{X%JfxJ zX%?g;fWEA=1J$>lS5^JjXR9THMvKiQ66c3Gb4QpZsn44w3%y!8p52rP=DF!zZU_%N zxz4C~xotOZptg8@u=l-x_(tM-`R1DRW?uiMbAK`7-R8~IdGn3i(Ulu5%@UcR)ObP8 zc%);*^}^)|ZR7R%@aAswtlW^7M4{)qh4aOd36%5JSY-@hI8LfQP-&9Ohd)ZtQ?orbn)IM53yOXND+!=ZE_H6IKxsr=-w{@fQ z(nzvNprgWZ;K@ZNOXIcm6?bpvB9}J4)K!CLTB*a*?ks+@+VjC(h6hV!&Fdwzd)ND> zTI4t98>6kFWemvOo8zAkY0hg(j^z!TZ+?i-yw$&<&1yQ>|6qT1wkvh^#@y?v@t&g3 z*{&AGcY96gU#Hc+Yu-|M#4Z)2qFM>b0$o6d2WPq|MQy-ttLW(%Oj56|vP8Qy)? z=yE~#f~ECH8oVk`=mZT`fTmu*?ZtCwvbi5r(aRw&^Ml6)9)b;py!GBOjAp5 z=->bfqSydL@1YN(PtixEZ`2nViCbtylY_Z|gN}B*JmdqCq>ZUpZ>D$~BGB_I9x4#@ zW?VO?$lG!wJnD5BrGCzGmecf2a8k-rs8T@$9LKiB9x_Os`p16OYW+xAJkIm1HJs96 zoJX_u1ul-@J)4K)>UrOv;Pz6tE^yN}KgVkRHPf5)DV{lTU-RkeHff%h`$LA$0w{7` z?r$!i;F8(Y{#TgY`^~CY&4)9gX0_J?-d$(Ht}AjK&EU7gMl=mw1m}1J6!hF61n(vh z0YyeJ2=UVpjhZY#7}#j zh_&6-K&@NJ07zQRKq6i_fHk9`d`5!5@A&Q@7ajS(Hgu7U|m12l%rkx@i#6@x_LQiH@h`LIcHref8a>|~+ z?C|c2ev(GtkEY0hf1je8{5?ug<~Ea7ru(;`ek^swe;1RRUmT8Q`y>AY_~ml8xdO<- zY^kSCv*c@LD;Y_kWz`3BLxSkTT-3pR4R6Zb|O`CeEy&unHbGpWc5) z8!}%Bqg||MP2iu`$~svqX5&Fp8^-mMX~i``Csm@UzfG5;!CK2dr6i0-hos8;vJ$Bz z7_%8;iaP5=a^|JtHz*%Xm}p{6myH)*%RQUXs*>VPUbhwGy)eWL8>C*K8N{<3I2uo! z`LsLH^49gO0g`$kd2{oPfp#?YUS=$Hi;in0zccJ$$DQPHiZH|8 z^;}u(nrK%<(a5Rg^!L8cVdKj*Jbcg9y!W?WNg=7#MS4yb*;MzN%_t3z+yASuh1WYB0zQN{vtkMMqI zBO>#0y_?Gpf&PsNA{nS|PvkSHlk{t4l+q>&y;4s($~EDw!r)7#sG%xi&k%G?=J-40 zsq!jw9TAc-jJ6o19~fUh7>;gBKq6zQPqE9jU2^*kho$kV7}I;Us8i_PDY0~A6ZvW_ zwBVIi#oqZWtiIJ&o@pS5M9}s|xk`olrP69WD`XXeF70*YaYShUg^%J)}7|3if>Zt2t1vCZhZj%{Doo zxjUv^`!Ffhe-%fQYFc;?u1Y9UsUA9P64%?@22gjuoah6YkI2HV1si~~m()eH1p z6Z+~&OyGxkv5Z;?MK##v$E0HxA~F$njq>oK8ZFeOb?K{E#+E7lcVhfGbz4P^^J<7a zKocS4NlKNSvFiCX&g$=OvdoG&T;Ysd>aeIsqoXO=uOsOs2eKpX+aXlKv?!Mp$!nd|E`a4Zq}$QTa^t z*v)~BZKI^Em>GtO+GM|}pNn&-&1f(>`Rqk|kBeJqTFQrCNmQnBT1ihB*Pw1S1S8|m zamSTpj%}j|J`pSVCj6UqxX_o;=$k0g>ewHj#vC^z8H;;o^aJ63`o516IgX$3A%km4rup(v??F=BS>j`YB=U=!A+7jkdwB+!@_rZX!N*@y`aPv~uj{1X3ei7>wP zgb?yxLe1H{Pipu-x{x#1lg{WdE9vMhv&UHJLd4xCHPn-_KjGSrRuz~J&rd>%ix<;v zlNc(eva0rbI3_I;5`T1X)L0}Wm^;M!>)xq|vB>LlvW)#vZ0==Umcw~-3i5)T)GqCvSh<|4X<#^(qSC z^^`MsP-PBRtL6%-H=pq{a#z6+28ljJq(b#~ut{}zHrSnly#iOws(N9kmQl?zN<|x6 ziO+z+%rQTk+mu(SWR`NKqvvi&LUOV(DL5O-WA2-`r@_goqSj#&IAX$Cc{P|-F4>ia zBn74D>JgY(e}}8l(pl#}SLm0lsPraXuku$usC546$w2zzftj`RxUOD&Mp&eYb$Yvn zdf#Y{|3Ns_cZk`&xOB~At&1mrE1 zGK;UR*of2Ff)EupznJ|pSNgibi@n%V38Zc`Xdg*9!bk^=29ZZMm-2Zq$pdd6sG|A_ zfU!qL8%HVgqd}ocJ9Bzv3A#VW9APnCk4b``{zeTISSh+-lJww5-}3UVr22A-uBCzR zuI~Tt;F0Ox*lu^Fdgb_IPA|Dff{-CSFUpSWT%cvjv&K;XP4WjMWnaT<^z2C5~LH&hnyy)6OzE} zK`OzkGQRn@icsMN!Vyh8?DYvT8JJjl08slGc;?X)(w`=zzrpxF5n<~A#l4*^4L}F# zdM*spNbmcb)+lwwo_=rdA}{K!5`dLM4B3_ODdX5wXJL$4=t@VR*L5&=SNwL+J9|Ze zB@RVXcWn*}p;ndu+E69NY6^J}q+%y6uER>g^xGY(o9rkLKfBu96F)u>OodFUbpJ+6?up$^BkgAlrocAuo8Q+ZQ;+~=bHrV z^&z-U*(PCLop_}(Tqbmz%9`{99b$&d65RQ<0TzmRinJz=67mPS*G~wd zq~4*2IpVojT;@c*CeukU>tT|Hk*?o)&?xNIF?+WlSh8LpzFb!4-5zZ92Z!4Vb}TQdfgI7&4B3AXri zAH73sh#4%lS;0hVdtrLB%i+pkiO=UG1i5n7?2IJ| z*6-D7ZhFrc?=M&ejbS5J@t4RHt9yP$1WbPznEqQ}`rBG4E+f%K4q@<}HPjWr?14vp z&kxH(-CV#UvRv9@Tj@Jm=`0e5dVuA7uh=_&dv2#trAx%f=y>>oQ9KTC`D=LD%0Rx6 zNg3K~)dvUko$#ayVH|k!Hrl&y>vCxCQQ<7oGT%CSTSGpoE|`N>t5!V5teeO%0Q@%z@CL{8wi{rCYl1 z?1!jUeutFFJgV+@a6|)&=&+`osh{0saHb8Sp&QXCo0RDZ7eVkidayKrowD0erU)vJURO#-v}ek~D&PR9tPms#ScHl_TD%bgm069V>%C)zXcmBT6nXiS6&H2iVPpQ#^4n7@ zIN6Dos{Y)l2tUy(HvmCO%g*In|9K@<9&9<=-U77NHX!&Qb2SlEexFWJl;7C=;%6AV zNrX64#5;mYuO+t?0)WZS zN}#T_UCRl|TrAy%uR>%3I(m-UDIR#dX6|zGMmKzxUM3__tRbt42X`Ew9Xh@CY~}dU zN8CsM<&XHx2Ybh>dU~Alg~l|v9j`$t)%BAM z;7kJ~X%;iI^B8I@s|O4!po9C++##KWCM7h1QmOh-xY;O)Ox+hhU~@KPZ~9^qi>_y< zAYqJ??RO_-?~i2jtUy<9s@--g9W9XmN&Rq^u!CL>=9zfq;~djHfkzXq6d-p!Mi=Ws zm5e3S2NKEBa8GGq!|zV9^>Yc#3rPHoBC6ed;cVM(VUZwvb@Gz(Utu|C@(_A!PIt~7 z1Xf4;1Z}-BU1`7%aNO%OIh?2-mCG*ZB=|RI3k^wWz?6_%;zTl}2kHikGKPW^RD1Kn z{htG>6Zk$EmM74qizKbmfBy`yo@<3z^lTARBicuifKGol06N{NPZTLVgnqL&UPXWo zUei`;&Pw`{t}m`PwvbMr5K1Hgw=D)X!%6J*s#;2$4v(Q^3Gh+={#~0290=IrB`zCL zRu8(ShS!=wfmnfO@cdgKm<}ha@h9>_&@M@dWvabmhLXP^2GMsc(^$H=OXW`t?;?-P z#z|o1WTppZR8VHo503HR%Be6|w}r1O1x({IkLjo1Dv+~|StHRejFq=GWw|@%p?x`A zvKNy&D3ntx^L`|K#@0F&BmAK+o=jG_UPx)YvlhXssW6@Ql2$unurB9p2#*)y?MK~v;v9rZ!AjR z-WBLDAzj=Pv^Hpu-*j7>$)0L+Hw)bz zy%X6Css}D>qWAsKrTLP>hNI z0vL}=odT5490+?v@XW$MltO?)R?P3BS3r4gb8>UF*OswNCrc<4E>q!m>t0thgHc65 zsEY}nu|DGKsryMlN(Qfmg?`Mt8vWRdwA=a?V_P8 z2^qY6bMXw*`^oX$nMxpU+`~+!*<^*W3w@Xo$C}w);_7pL8Ox`kEpK4v6bXc=9O_zO zzAc5rxms)L69X|Zi3x5l?;K6)CLo%W;y+HgbEA{6KqU?J_wxQl5|1?64L7!r5(BC! z^vL(hLh}Ga71U=MM6ci({DY&I9PteOwkC%;5$~ECyt(id5to#mN*2P?>VU))X*LV7 z4`7ec7tO7t(*tQXmT^DV{?ECi6k{C%J+PQT8cJZsj^b;_^bL+53RWUW#GR%8W@S7} zk3L}5=AHec(F!)=0_97ad3DHc)IjNlNOIxIU%=zzN4wbtT>Jw(eJ#) z^d*-H@oL$^OJqyQ8@@nH4~>j}0xD+&b;!vSs_cS+2$h~I)Q{qlSx=9>UJS(@w?*S% zHtoEPa)L|5eP6}NZVfc3tjgzEbKCW!SNCnk!fk4S6_=D8m%={-s9_Zf>1c%-$i1cD z*D0RCrV@+oaF*_Wah$+*2d!2_=yL)h&@`{cftgo1F^*&Pn z885z`-Usj`bnrX@dqowBfPQ3PEH?nM|;*dpuz*+%P_U|*fm1>tAFr7E?(EO7Y@iE z#g!bdQVx&DyXF0x?@+U<=K~pNVU#gah9h=O-Itf*r@A9J(F4}w< zm-IyKO>?|>%HuR3Trxtt{B#m_$QUv&+p*W>dHs(1?g5^j52Q%mIGL^*eZNyfHD5m! zD`e>Hp56i>nzC2g=#W)ZQk-7{Aj^4|xc%wO*WE{X-6=O{_$Pf|)i+#=SDzxdAI_$KpK+@YVP7CW~rRzdHXO9UF!gZ?va4thJpy- zEh%8gJY^5$5wqHb_19aS{(!TMGUSk9ucx!xRWqTuc(b5DU`6mLeHlZY1`$gYx`eBHUchTR|;7#kREY{hOJrRtF(ojix^E zCN9v*1H>5@>+|dq9PIT?RGGS`GEjVCy39bZO|Bv9OJ0h{jwt1m{=cj2IJPFgg#rST zVRfa6GLY?+yGyOq4|fef(nTg2o&gcVU8`?t_Ce$>XT_T)5eH+L* z;$K#^Hp21W5i*=G`Md*xxV92G99{eo<=|oZj9HKeRzv`-_6qgEyez2e3GF9_t36B^ zz6PM!kU%bdqW&OdCf5z0xKI2G2ayWG7+^DmrqOxUTvNmSzLrv|b;BF?tc z?)9ZnrD?t`W_fE&pAYEOwi&Idx4AKtCi}Q95$+C^vMeu=i{l>0w4u{Qp82)-e(dfY z!jLIX`;6X&hD0tJ#$%V0F^_8JdM1(0aBKBq4vn-a zlJ;l&yCSlGyVSn*mr9b2iWJA)9d5t6;pYPo#(i%$tK8S3m};#}VJXDk;@=vD>fzqN zQ#gYX?KkOiRq+>0?5pv7XSO1Kx$=`Kf@8 zH5f}&w?#<4;``A+Md7rZz5NCyEgh*%$&mT(0OX$N%?ER^UK&!D%75>pIx+~b2y4{T zgUVnO+h}9tgnBgd9-|Pi&hLVrh3?R&^-G!G*9S1dRPRoFWjdKo5874m7iSUC7&Ji< zxDUM>0Ujy92UNS1r$oAshkM-GOE$&mA&c3?Ky#!O`PL?C1LuvsYMUnSIR;Q83rj4T zRRCBx63A>V^13R**YfXi@1H)}>#sfpem(`{^@Q^nW8d>UD{#ee)y&V5K`Z;JPDSm) zf=Zr?ICfEQ>(INFXKgp%y_b!4bs)5hSX9}ZNjwWMk<2JK5a(9}ymW2YPA-r=^6PEp zESWJ&E&j_NPyW4d$o}WekFu9RZn)!t*roAEc9gDG{o@w5HNC-)I-y+sPUf+;6)OEs zrm^}JeZRfnD~G@C;|eW{&-}ekljS!jli{K;yqVbX!<(7i*#0zFeF6|u|Ev-h3IkhYn}b9p z%SgB{46iQL5(9E#;0RPkdz-%a0ZB2@8+&VrYWepVItiD@5^2J0#RN}rNgj-=|E@SX znj1NS0qPBKJEbA6MlPa1E^2xNnj@vN8gyKlAhV-oKx4-z+OcE)Pg+exCnE zO_!y*KaZWUO1JFpjpkxuOY3X5y$r{CWL+uLqiJ7#@}O%%5`B6mkWT*+l(~3=oS(Zg7Vi-+))jti zQGe*Nu%*vXfDwp0wR?oSymOPexAJ(YgK08n(aP*G-$oRx1V=}V*_favj37JR)yZE} zy(XaHTc0WdYv_ZhuvuEy2Uj%&*0%b}7t$F?rxl+>di*r92>hSY!ZVh;K|7*d!v~`xK3&t^1Y8>Mk2+9#-5Zz7N^K| z8jMvax1Fq17`D|j142>|*x({TGx$y@sOM#B!%pj}6#?b{^nX8fQw^FWs+@7Q1JiHo$;8(<@I2 z=m~Q}d<3Gpe@A-W?HiH9ZY>q=c|q#QbW3~JFr;H%hmb-IJ455j3 zh5foPq$@7uu1a2ycMOs-1<(!+gyBft%1*3`y%j;Rt!}0uV>$o<)&NPbJ(J$`k+br! zt|+_fBXx8i{`^``qv@ofq8RPMLW5wleeT75O0qGkXL8b{xf7J^bT+XIQl}R3-UTH( z%LS~YM>Zjk1iwtG62?51$IfR(eWJ>{m(S{}q)I4i69UoDyqgakrg@dpTs{q+L>PRf zO6i#*_sN*VG_B3_m3+aBu6s)3lR?s95t2yHHg-=VJv-=*puAQtD`|yINUpl3od4fG z&yZ0iBmw?3#jB*{!tfHn{E?AM_t>Ho`(B2bLr4urj&M+CX~>(>V=c zZ9M6YLGIY(T0DD1(4mu_DW5_ZUk_H2$fmU6=H#{$FdAbn$m z-#~ckm8xwI+7R-He5+QmNuhcUbmxGM!NtVm#5EvhTX%Bo90lV$&eK><-%`nU!!nOaZ{p@$l^TPr){6L*;%&1TU(#nhdsF}2H;RXFSdWKZ z^pgT}S`h3FjYdg!&_&n?GzCLrcWD`bKBi_3mmp}T+wd8w$mO*n&JyMi^3BD1-TMi- zQ8CIo#U_^G8FgsEz9Q32eREd{< z9L2$m3zJbQ2X=siqt`w}IIxRa2pHq#_G0k^h4Na6b#}Z!Oh{=?;7O^QL=^qrFXO3_ zXGz?rsi}+ikDInT*)~_>gcYye;(Olo9`-Kh^p3Zx*((1E^*Y8p-EF?wyEHrg<#{Y( z*SUBU*>vMj5&i4baBw`e!ZcxWQAn#|F$}}pFp?ZAxL@Fmat7uV*gqm0L$*+;bC}yg zQkI{Mts>Y?SDa1WHhzzxI??3)bIrnr@q6Dhv&pS*57;b%?eM&8ay~be@`g2N+2-dE z86VUb8r$%F#6z)%c=y60>2}Tzd^ajSECKp_7!gB#Pq7Ctguxu^k&Vr&;4rO~6>XqZ zox47d?=!(7?B{~=rPb^ffDLSOqR0o04lu5!m+?MDH6{hM)3a3bn_yKm_R7K&AN?;-^ffNA?ig=+ zU0~ZTuaxDzsF6i*;Dvv~by2pjXUoRk$p6qATJ>~XzTA$aM7wP7ZG?Ge$)aXCD9cio zLDzevBE4+s)t#vJ2T;=dLG5w5^ZdkzM$d?U6xd|Ee^zv0T4B>& zQA5VkR-^anV%3Vvo__g|SLRu>MK37id2*^tCm1xs?HutAn$U44CI=HD$zbe}T}E$C z$*uv@+r5*j9{JON-<;Ccz%-h22>Wehsc%JgM^OpjgJWEm*)EuD{OaxVbPR1NHO|2p z_$)Gt^qa6zW>-fO+O@%01-W(J5h(gz*1H?x3_3zSdiIGNqv>zY*DZzO%Na^_KCKta zP1lenQMwVKh^i0b%)`Dw{alL#o_?YZG1JJa?1~8;>&mT~;^mW(v#He!#Yjq?S+w17 zWBdlV%OD}wRLXjidM2g@pO}KpBaA!*;j1!9HC&sIIhYzqN;!8MkU8x)+l!Yhf?bWC z(XBWNHfHE^==buzqdH`~$W%}m$)dGm93;#89>ql}?h;8z2_y{eK*EqlF9vU;r5y~iQ7uqomT6UsIi%HK zb^KFG!@}dVkyy4=Ew|Y;O;&M5aR_gk|+Jmv8 zIwrE&y*|dQZ*Jfvw@hCC*p4lcDBrPjj=;+Ekz~YiMHRRT1-p`dQ~HzNgI8 zhx9X6?*q@mPaGPq{BsoU=}|nJMu9IA94cRs?aTLt(yTMx2!F|3)){?Vi%OFgu#3Yg zv0WB`RXQy8WdOz#$Cbh5L9M75*4&xD!~g6gF%w-9`|xWB ziG;EKfJKkqcGsZLRna+ebO^H74Vw1-g!!Hr$legW=!7{9=?Hes!|GG?(BY~b=Fb^`;>e4Fl))#{NIa7#Fu zZl)$Bsz7at>pHbfcK+c)?&%V2a;#9Ewo*`+FC`N!`^hf7Ur3qepoA=yn3O&q)y9@b z`Gh>m_WU|U=iTOzVz`e6n7BMMWVl}hKmRM{SHF<}zN}+hInfKw8uL7o1-;{uwBYx# z+1mHr2vvRB{i*ISd$hY#-PBmUeAY=ubJ)mW%<7O_P~{6PiD55lz^x9m!+4xzCELE^ zddK!lr;v0ql@_;QXQK)REp5AkbU03(OsqQAy-hbM1^B_erBR57Ka{IPzZ}mlF}3j8Eg24iYt9iP7;}>PfUK=S)!A-M6~u9;)uCQK_*_HL?F7I$c%`CA)~XJYJlnekxcr#7OHsyjJB zu^p(y4mjTYGrdK_9!(ygPWsBruQ+py5PJ#J9G9Yu*s;xgXL z&nb^Cx6eKVxW)B-|H}Q#z_->qB&T$fPj8J*wPXtYvtxVBQ1(TgAJM^*ijwTlt?wpxMrZkP?T&(9A0-lE_8?#AaAUacxjELn&t zRdWV#nLkd=ud4ur3Fkim@&U*Aqj~hUW%Ta@C3L)D1i+bh&_N)|{}?z3$O5#Q|1tJ= zC#s2~qwVi=|07O(&Q(n;aH>(DXC0t(|MsE<-{Sl`!rz5R+#?Uf5(a@VKL63n`Pb;B zyZ4=Vrw literal 0 HcmV?d00001 diff --git a/data/cis-xlsx-ocp-to-oscal-catalog.config b/data/cis-xlsx-ocp-to-oscal-catalog.config new file mode 100644 index 0000000..cbcc110 --- /dev/null +++ b/data/cis-xlsx-ocp-to-oscal-catalog.config @@ -0,0 +1,7 @@ +[task.cis-xlsx-to-oscal-catalog] + +title = CIS Red Hat OpenShift Container Platform Benchmark +version = v1.2.0-2 +input-file = CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx +output-dir = catalogs/ocp-v1.2.0-2 +output-overwrite = true From 2f70ab521b2ebe2075e528d5fd464c935b64552d Mon Sep 17 00:00:00 2001 From: Automation Bot Date: Fri, 5 May 2023 14:11:41 +0000 Subject: [PATCH 02/14] Autoupdate [ci skip] --- md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md | 4 +++- md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md | 4 +++- md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md b/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md index 23725ff..9f7107a 100644 --- a/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md +++ b/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md @@ -2,7 +2,9 @@ ## Control Statement -Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication. +Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. + +It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication. ## Control rationale_statement diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md index 36ba658..ad71726 100644 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md +++ b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md @@ -2,7 +2,9 @@ ## Control Statement -Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items. Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product. +Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items. + +Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product. ## Control rationale_statement diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md index 08c1b49..757ca4f 100644 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md +++ b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md @@ -2,7 +2,9 @@ ## Control Statement -The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access) As such, access to create new pods should be restricted to the smallest possible group of users. +The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access) + +As such, access to create new pods should be restricted to the smallest possible group of users. ## Control rationale_statement From 5bcda538b002856ed30773bcd6e52a8b248091be Mon Sep 17 00:00:00 2001 From: degenaro Date: Fri, 5 May 2023 10:14:39 -0400 Subject: [PATCH 03/14] Undo oops! Wrongly delivered directly to develop. Signed-off-by: degenaro --- catalogs/ocp4-cis/catalog.json | 1696 ++++++++--------- ...Container_Platform_Benchmark_v1.2.0-2.xlsx | Bin 120094 -> 0 bytes data/cis-xlsx-ocp-to-oscal-catalog.config | 7 - 3 files changed, 848 insertions(+), 855 deletions(-) delete mode 100644 data/CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx delete mode 100644 data/cis-xlsx-ocp-to-oscal-catalog.config diff --git a/catalogs/ocp4-cis/catalog.json b/catalogs/ocp4-cis/catalog.json index bb91775..3ed34d7 100644 --- a/catalogs/ocp4-cis/catalog.json +++ b/catalogs/ocp4-cis/catalog.json @@ -1,11 +1,11 @@ { "catalog": { - "uuid": "2f097fb2-8126-4a60-bf17-1ccf59385a3b", + "uuid": "9d69e91b-523c-4915-89f1-92731b1b85f7", "metadata": { "title": "CIS Red Hat OpenShift Container Platform Benchmark", - "last-modified": "2023-05-05T13:50:12+00:00", - "version": "v1.2.0-2", - "oscal-version": "1.0.4" + "last-modified": "2023-02-15T07:14:21.927553+00:00", + "version": "0.2.0", + "oscal-version": "1.0.2" }, "groups": [ { @@ -94,7 +94,7 @@ ], "links": [ { - "href": "#8bb677a7-7b91-4f77-b721-85c544770893", + "href": "#4fa8c2d3-6b4c-428a-a0bb-5e25f4bed301", "rel": "reference" } ], @@ -105,27 +105,27 @@ "prose": "Ensure that the API server pod specification file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.1_rat", + "id": "CIS-1.1.1_rationale_statement", "name": "rationale_statement", "prose": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable only by the administrators on the system." }, { - "id": "CIS-1.1.1_imp", + "id": "CIS-1.1.1_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.1_rem", + "id": "CIS-1.1.1_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\n```" }, { - "id": "CIS-1.1.1_aud", + "id": "CIS-1.1.1_audit_procedure", "name": "audit_procedure", "prose": "OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.\n\nThe OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. \n\nThe Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 0644.\n\nTo verify pod specification file permissions for the kube-apiserver, run the following command.\n\n```\n#echo “check kube-apiserver pod specification file permissions”\n\nfor i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )\ndo\n oc exec -n openshift-kube-apiserver $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." }, { - "id": "CIS-1.1.1_ctl", + "id": "CIS-1.1.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -188,7 +188,7 @@ ], "links": [ { - "href": "#b4771c7c-b878-40ac-9e05-21476d348568", + "href": "#a17d309e-222a-44a5-b2df-e0239742208d", "rel": "reference" } ], @@ -199,27 +199,27 @@ "prose": "Ensure that the API server pod specification file ownership is set to `root:root`." }, { - "id": "CIS-1.1.2_rat", + "id": "CIS-1.1.2_rationale_statement", "name": "rationale_statement", "prose": "The API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.2_imp", + "id": "CIS-1.1.2_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.2_rem", + "id": "CIS-1.1.2_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.2_aud", + "id": "CIS-1.1.2_audit_procedure", "name": "audit_procedure", "prose": "OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. \n\nThe OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. \n\nThe Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with ownership `root:root`.\n\nTo verify pod specification file ownership for the kube-apiserver, run the following command.\n\n```\n#echo “check kube-apiserver pod specification file ownership”\n\nfor i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )\ndo\n oc exec -n openshift-kube-apiserver $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\ndone\n```\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.2_ctl", + "id": "CIS-1.1.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -282,7 +282,7 @@ ], "links": [ { - "href": "#b06b95e2-d73e-4e4d-a334-ae863bdd80d2", + "href": "#f7f556ab-234b-4a8a-a2ca-fec600e826de", "rel": "reference" } ], @@ -293,27 +293,27 @@ "prose": "Ensure that the controller manager pod specification file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.3_rat", + "id": "CIS-1.1.3_rationale_statement", "name": "rationale_statement", "prose": "The controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.3_imp", + "id": "CIS-1.1.3_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.3_rem", + "id": "CIS-1.1.3_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\n```" }, { - "id": "CIS-1.1.3_aud", + "id": "CIS-1.1.3_audit_procedure", "name": "audit_procedure", "prose": "OpenShift 4 deploys two controller managers: the OpenShift Controller manager and the Kube Controller manager. \n\nThe OpenShift Controller manager is managed as a deployment. The pod specification yaml for openshift-controller-manager is stored in etcd. \n\nThe Kube Controller manager is managed as a static pod. The pod specification file for the openshift-kube-controller-manager is created on control plane nodes at /etc/kubernetes/manifests/kube-controller-manager-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml with permissions 0644.\n\nTo verify pod specification file permissions for the kube-controller-manager, run the following command.\n\n```\n#echo \"check openshift-kube-controller-manager pod specification file permissions\"\n\nfor i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager)\ndo\n oc exec -n openshift-kube-controller-manager $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." }, { - "id": "CIS-1.1.3_ctl", + "id": "CIS-1.1.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -376,7 +376,7 @@ ], "links": [ { - "href": "#4d949458-3dce-4886-bcae-e8927b7f6b5b", + "href": "#005c3423-193e-4db8-9ea4-a4535d6615dd", "rel": "reference" } ], @@ -387,27 +387,27 @@ "prose": "Ensure that the controller manager pod specification file ownership is set to `root:root`." }, { - "id": "CIS-1.1.4_rat", + "id": "CIS-1.1.4_rationale_statement", "name": "rationale_statement", "prose": "The controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.4_imp", + "id": "CIS-1.1.4_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.4_rem", + "id": "CIS-1.1.4_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.4_aud", + "id": "CIS-1.1.4_audit_procedure", "name": "audit_procedure", "prose": "OpenShift 4 deploys two controller managers: the OpenShift Controller manager and the Kube Controller manager. \n\nThe OpenShift Controller manager is managed as a deployment. The pod specification yaml for openshift-controller-manager is stored in etcd. \n\nThe Kube Controller manager is managed as a static pod. The pod specification file for the openshift-kube-controller-manager is created on control plane nodes at /etc/kubernetes/manifests/kube-controller-manager-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml with ownership root:root.\n\nRun the following command.\n\n```\n#echo “openshift-kube-controller-manager pod specification file ownership\"\n\nfor i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager)\ndo\n oc exec -n openshift-kube-controller-manager $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.4_ctl", + "id": "CIS-1.1.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -470,7 +470,7 @@ ], "links": [ { - "href": "#b926b009-736f-4256-aba4-f00d92a4250f", + "href": "#17caf35a-2d76-4359-8ff9-dc3b12f2a874", "rel": "reference" } ], @@ -481,27 +481,27 @@ "prose": "Ensure that the scheduler pod specification file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.5_rat", + "id": "CIS-1.1.5_rationale_statement", "name": "rationale_statement", "prose": "The scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.5_imp", + "id": "CIS-1.1.5_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.5_rem", + "id": "CIS-1.1.5_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n```" }, { - "id": "CIS-1.1.5_aud", + "id": "CIS-1.1.5_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4 the kube-scheduler is deployed as a static pod and its pod specification file is created on control plane nodes at /etc/kubernetes/manifests/kube-scheduler-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml with permissions 0644.\n\nTo verify, run the following command. \n\n```\n#Verify openshift-kube-scheduler permissions\n\nfor i in $(oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name)\n do\n oc exec -n openshift-kube-scheduler $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n done\n```\n\nVerify that the permissions are `600` or more restrictive." }, { - "id": "CIS-1.1.5_ctl", + "id": "CIS-1.1.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -564,7 +564,7 @@ ], "links": [ { - "href": "#c0701093-fab7-42c3-920c-93a01dcfeb2d", + "href": "#ba265dc2-094e-48d5-a15a-8b982fb6d579", "rel": "reference" } ], @@ -575,27 +575,27 @@ "prose": "Ensure that the scheduler pod specification file ownership is set to `root:root`." }, { - "id": "CIS-1.1.6_rat", + "id": "CIS-1.1.6_rationale_statement", "name": "rationale_statement", "prose": "The scheduler pod specification file controls various parameters that set the behavior of the `kube-scheduler` service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.6_imp", + "id": "CIS-1.1.6_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.6_rem", + "id": "CIS-1.1.6_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.6_aud", + "id": "CIS-1.1.6_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the kube-scheduler is deployed as a static pod and its pod specification file is created on control plane nodes at /etc/kubernetes/manifests/kube-scheduler-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml with ownership `root:root`.\n\nRun the following command. \n\n```\n#Verify openshift-kube-scheduler ownership\nfor i in $(oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name)\n do\n oc exec -n openshift-kube-scheduler $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n done\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.6_ctl", + "id": "CIS-1.1.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -658,7 +658,7 @@ ], "links": [ { - "href": "#822f1e30-a21f-4cff-9c9d-5065b8f675b7", + "href": "#a66fe000-f5f1-4fe8-b67f-f2260dd22875", "rel": "reference" } ], @@ -669,27 +669,27 @@ "prose": "Ensure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.7_rat", + "id": "CIS-1.1.7_rationale_statement", "name": "rationale_statement", "prose": "The etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the `etcd` service in the master node. `etcd` is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.7_imp", + "id": "CIS-1.1.7_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.7_rem", + "id": "CIS-1.1.7_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/manifests/etcd-pod.yaml\n```" }, { - "id": "CIS-1.1.7_aud", + "id": "CIS-1.1.7_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, starting with OpenShift 4.4, the etcd pod specification file is generated by the cluster etcd operator. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml` with permissions `644`.\n\nThe default etcd pod specification file is available here: [openshift/cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml)\n\nRun the following command.\n\n```\n#Verify openshift-etcd permissions\n\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )\ndo\n echo \"check pod $i\"\n oc rsh -n openshift-etcd $i \\\n stat -c %a /etc/kubernetes/manifests/etcd-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." }, { - "id": "CIS-1.1.7_ctl", + "id": "CIS-1.1.7_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -752,7 +752,7 @@ ], "links": [ { - "href": "#e45552c2-8d5b-4d42-823f-0ddfed828273", + "href": "#d14ae650-3329-416b-9a3b-bea168fe3742", "rel": "reference" } ], @@ -763,27 +763,27 @@ "prose": "Ensure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`." }, { - "id": "CIS-1.1.8_rat", + "id": "CIS-1.1.8_rationale_statement", "name": "rationale_statement", "prose": "The etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the `etcd` service in the master node. `etcd` is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-1.1.8_imp", + "id": "CIS-1.1.8_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.8_rem", + "id": "CIS-1.1.8_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.8_aud", + "id": "CIS-1.1.8_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, starting with OpenShift 4.4, the etcd pod specification file is generated by the cluster etcd operator. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml` with ownership `root:root`.\n\nThe default etcd pod specification file is available here: [openshift/cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml)\n\nRun the following command :\n\n```\n#Verify openshift-etcd ownership\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )\ndo\n echo \"check pod $i\"\n oc rsh -n openshift-etcd $i \\\n stat -c %U:%G /etc/kubernetes/manifests/etcd-pod.yaml\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.8_ctl", + "id": "CIS-1.1.8_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -846,7 +846,7 @@ ], "links": [ { - "href": "#ccaed7c9-7ce1-412a-aae5-cb53e37cc0c8", + "href": "#5864249f-943b-4f1c-9a21-2a0a42e92dea", "rel": "reference" } ], @@ -857,27 +857,27 @@ "prose": "Ensure that the Container Network Interface files have permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.9_rat", + "id": "CIS-1.1.9_rationale_statement", "name": "rationale_statement", "prose": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.9_imp", + "id": "CIS-1.1.9_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.9_rem", + "id": "CIS-1.1.9_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.9_aud", + "id": "CIS-1.1.9_audit_procedure", "name": "audit_procedure", "prose": "The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. \n\nEnsure that the Container Network Interface file permissions, multus, openshift-sdn and Open vSwitch (OVS) file permissions are set to 644 or more restrictive. The SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via hostpath but stored on the container hosts) are stored in the following locations:\n\nCNI/Multus (pod muluts):\n\n`/host/etc/cni/net.d = CNI_CONF_DIR`\n`/host/var/run/multus/cni/net.d = multus config dir`\n\nSDN (pod ovs; daemonset; app=ovs):\n\n`/var/lib/cni/networks/openshift-sdn `\n`/var/run/openshift-sdn`\n\nOVS (container openvswitch):\n\n`/var/run/openvswitch`\n`/etc/openvswitch`\n`/run/openvswitch`\n\nRun the following commands. \n\n```\n\n# For CNI multus\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%a %n\\\" /host/etc/cni/net.d/*.conf\"; done\n\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%a %n\\\" /host/var/run/multus/cni/net.d/*.conf\"; done\n\n# For SDN pods\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c %a {} \\;; done\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %a {} \\;; done\n\n# For OVS pods\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %a {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %a {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %a {} \\;; done \n```\n\nVerify that the config files for the CNI multus pods have permissions of 600 or more restrictive. \n\n`/host/etc/cni/net.d/00-multus.conf = 600`\n`/host/var/run/multus/cni/net.d/80-openshift-network.conf = 600`\n\nVerify that the SDN pods permissions are 600 or more restrictive.\n\n`/var/lib/cni/networks/openshift-sdn/* = 600`\n`/var/run/openshift-sdn/cniserver/config.json = 600`\n\nVerify that the OVS permissions are 600 or more restrictive.\n\n`/var/run/openvswitch/ovs-vswitchd.pid = 600`\n`/etc/openvswitch/conf.db = 600`\n`/etc/openvswitch/system-id.conf = 600`\n`/etc/openvswitch/.conf.db.~lock~ = 600`\n`/run/openvswitch/ovs-vswitchd.pid = 600`\n`/run/openvswitch/ovsdb-server.pid = 644`" }, { - "id": "CIS-1.1.9_ctl", + "id": "CIS-1.1.9_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -940,7 +940,7 @@ ], "links": [ { - "href": "#8d4d808e-99b0-4181-815f-2a7b03e311f7", + "href": "#b679d699-ad77-45c7-9ed4-454a836b1031", "rel": "reference" } ], @@ -951,27 +951,27 @@ "prose": "Ensure that the Container Network Interface files have ownership set to `root:root`." }, { - "id": "CIS-1.1.10_rat", + "id": "CIS-1.1.10_rationale_statement", "name": "rationale_statement", "prose": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be owned by `root:root`." }, { - "id": "CIS-1.1.10_imp", + "id": "CIS-1.1.10_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.10_rem", + "id": "CIS-1.1.10_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file permissions are managed by the operator." }, { - "id": "CIS-1.1.10_aud", + "id": "CIS-1.1.10_audit_procedure", "name": "audit_procedure", "prose": "The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. \n\nEnsure that the `multu` and `openshift-sdn` file ownership is set to root:root and the Open vSwitch (OVS) file ownership is set to `openvswitch:openvswitch`. \n\nThe SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via `hostpath` but stored on the container hosts) are stored in the following locations:\n\nCNI:\n\n`/etc/cni/net.d`\n`/host/var/run/multus/cni/net.d`\n\nSDN:\n\n`/var/lib/cni/networks/openshift-sdn `\n`/var/run/openshift-sdn`\n\nSDN OVS:\n\n`/var/run/openvswitch`\n`/etc/openvswitch`\n`/run/openvswitch`\n\nRun the following commands.\n\n```\n\n# For CNI multus\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%U:%G %n\\\" /host/etc/cni/net.d/*.conf\"; done\n\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%U:%G %n\\\" /host/var/run/multus/cni/net.d/*.conf\"; done\n\n# For SDN pods\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c \\\"%U:%G\\\" {} \\;; done\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %U:%G {} \\;; done\n\n# For OVS pods in 4.5\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\n# For OVS pods in 4.6\nTBD\n```\n\nVerify that the CNI and SDN file ownership is set to `root:root`.\n\n`/host/etc/cni/net.d/00-multus.conf = root:root`\n`/host/var/run/multus/cni/net.d/80-openshift-network.conf = root:root`\n`/var/lib/cni/networks/openshift-sdn = root:root`\n`/var/run/openshift-sdn = root:root`\n\nVerify that the OVS file ownership is set to `openvswitch:openvswitch`.\n\n`/var/run/openvswitch = openvswitch:openvswitch`\n`/etc/openvswitch = openvswitch:openvswitch`\n`/run/openvswitch = openvswitch:openvswitch`" }, { - "id": "CIS-1.1.10_ctl", + "id": "CIS-1.1.10_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -1034,7 +1034,7 @@ ], "links": [ { - "href": "#57b03bf4-abef-4ffb-a8d5-83dd1e32a84f", + "href": "#1436e335-5bdc-4339-aa7e-ded1e56b015c", "rel": "reference" } ], @@ -1045,27 +1045,27 @@ "prose": "Ensure that the etcd data directory has permissions of `700` or more restrictive." }, { - "id": "CIS-1.1.11_rat", + "id": "CIS-1.1.11_rationale_statement", "name": "rationale_statement", "prose": "`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world." }, { - "id": "CIS-1.1.11_imp", + "id": "CIS-1.1.11_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.11_rem", + "id": "CIS-1.1.11_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required. File permissions are managed by the `etcd` operator." }, { - "id": "CIS-1.1.11_aud", + "id": "CIS-1.1.11_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml`. The `etcd` database is stored on the container host in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The permissions for this directory on the container host is `700`. \n\nStarting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers.\n\nRun the following commands.\n\n```\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %a%n /var/lib/etcd/member; done\n```\n\nVerify that the permissions are `700`." }, { - "id": "CIS-1.1.11_ctl", + "id": "CIS-1.1.11_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -1128,7 +1128,7 @@ ], "links": [ { - "href": "#4ed24380-ff84-471a-b732-d190144e9be3", + "href": "#28d31254-ad8d-47c5-a102-594b3db49a4c", "rel": "reference" } ], @@ -1139,27 +1139,27 @@ "prose": "Ensure that the `etcd` data directory ownership is set to `etcd:etcd`." }, { - "id": "CIS-1.1.12_rat", + "id": "CIS-1.1.12_rationale_statement", "name": "rationale_statement", "prose": "`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\nNOTE: The only users that exist on an RHCOS OpenShift node are root and core. This is intentional, as regular management of the underlying RHCOS cluster nodes is designed to be performed via the OpenShift API itself. The core user is a member of the wheel group, which gives it permission to use `sudo` for running privileged commands. Adding additional users at the node level is highly discouraged." }, { - "id": "CIS-1.1.12_imp", + "id": "CIS-1.1.12_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.1.12_rem", + "id": "CIS-1.1.12_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required; file ownership is managed by the operator." }, { - "id": "CIS-1.1.12_aud", + "id": "CIS-1.1.12_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The `etcd` database is stored on the master nodes in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The ownership for this directory on the `etcd-member` container and on the container host is `root:root`. \n\nStarting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers.\n\nRun the following command.\n\n```\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %U:%G /var/lib/etcd/member; done\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-1.1.12_ctl", + "id": "CIS-1.1.12_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -1222,7 +1222,7 @@ ], "links": [ { - "href": "#ccba75f5-d463-4f61-ab24-1dfce255d5b1", + "href": "#5872a0ff-2aea-4191-a31b-d914bdc46ca5", "rel": "reference" } ], @@ -1233,27 +1233,27 @@ "prose": "Ensure that the `admin.conf` file has permissions of `600` or more restrictive." }, { - "id": "CIS-1.1.13_rat", + "id": "CIS-1.1.13_rationale_statement", "name": "rationale_statement", "prose": "The `admin.conf` is the administrator `kubeconfig` file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-1.1.13_imp", + "id": "CIS-1.1.13_impact_statement", "name": "impact_statement", "prose": "None." }, { - "id": "CIS-1.1.13_rem", + "id": "CIS-1.1.13_remediation_procedure", "name": "remediation_procedure", "prose": "Execute the command below:\n\n```\nchmod 600 /etc/kubernetes/kubeconfig/admin.config\n```" }, { - "id": "CIS-1.1.13_aud", + "id": "CIS-1.1.13_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4 the admin config file is stored in `/etc/kubernetes/kubeconfig` with permissions `644`.\n\nRun the following command.\n\n```\nfor i in $(oc get nodes -o name)\n do\n echo $i\n oc debug $i -- <.`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\nRun the following command:\n\n```\n# TLS Cert File - openshift-kube-apiserver\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.certFile\n\n# TLS Key File\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.keyFile\n```\n\nVerify that the following files exist.\n\n`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt` \n`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key`" }, { - "id": "CIS-1.2.30_ctl", + "id": "CIS-1.2.30_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -4908,7 +4908,7 @@ ], "links": [ { - "href": "#7f3c670d-2513-4acf-a814-6cba66af12b3", + "href": "#befe3b8f-c971-4274-9724-1df35e87491c", "rel": "reference" } ], @@ -4919,27 +4919,27 @@ "prose": "Setup TLS connection on the API server." }, { - "id": "CIS-1.2.31_rat", + "id": "CIS-1.2.31_rationale_statement", "name": "rationale_statement", "prose": "API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate." }, { - "id": "CIS-1.2.31_imp", + "id": "CIS-1.2.31_impact_statement", "name": "impact_statement", "prose": "TLS and client certificate authentication must be configured for your Kubernetes cluster deployment. By default, OpenShift uses X.509 certificates to provide secure connections between the API server and node/kubelet. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform alerting framework has rules to help identify when a certificate issue is about to occur. These rules consist of the following checks:\n\n- API server client certificate expiration is less than five minutes." }, { - "id": "CIS-1.2.31_rem", + "id": "CIS-1.2.31_remediation_procedure", "name": "remediation_procedure", "prose": "OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. \n\nYou may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\n```\nUser-provided certificates must be provided in a kubernetes.io/tls type Secret in the openshift-config namespace. Update the API server cluster configuration, the apiserver/cluster resource, to enable the use of the user-provided certificate.\n```" }, { - "id": "CIS-1.2.31_aud", + "id": "CIS-1.2.31_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure connections between API server and node/kubelet by default. OpenShift configures the `client-ca-file` value and does not use value assigned to the `client-ca-file` flag. OpenShift generates the necessary files and sets the arguments appropriately. \n\nThe API server is accessible by clients external to the cluster at `api..`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\nRun the following command:\n\n```\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.clientCA\n```\n\nVerify that the following file exists.\n\n`/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt`" }, { - "id": "CIS-1.2.31_ctl", + "id": "CIS-1.2.31_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -5002,7 +5002,7 @@ ], "links": [ { - "href": "#3dab0d41-67da-4f36-9137-7e63b621682c", + "href": "#145df28f-05bb-489e-a5f2-120c097942d7", "rel": "reference" } ], @@ -5013,27 +5013,27 @@ "prose": "`etcd` should be configured to make use of TLS encryption for client connections." }, { - "id": "CIS-1.2.32_rat", + "id": "CIS-1.2.32_rationale_statement", "name": "rationale_statement", "prose": "`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the `etcd` server using a SSL Certificate Authority file." }, { - "id": "CIS-1.2.32_imp", + "id": "CIS-1.2.32_impact_statement", "name": "impact_statement", "prose": "TLS and client certificate authentication must be configured for `etcd`." }, { - "id": "CIS-1.2.32_rem", + "id": "CIS-1.2.32_remediation_procedure", "name": "remediation_procedure", "prose": "None required. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. Communication with `etcd` is secured by the `etcd` serving CA." }, { - "id": "CIS-1.2.32_aud", + "id": "CIS-1.2.32_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift does not use values assigned to the `etcd-cafile` argument. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. OpenShift includes multiple certificate authorities (CAs) providing independent chains of trust, increasing the security posture of the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. Communication with `etcd` is secured by the `etcd` serving CA.\n\nRun the following command\n\n```\n# etcd CA File\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .storageConfig.ca\n\n# for ocp 4.6 replace jq -r .storageConfig.ca with\n jq -r '.apiServerArguments[\"etcd-cafile\"]'\n```\n\nVerify that the following is returned\n\n`/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt`" }, { - "id": "CIS-1.2.32_ctl", + "id": "CIS-1.2.32_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -5096,7 +5096,7 @@ ], "links": [ { - "href": "#5992b0b7-d2b0-47a3-b819-d13bdde29a68", + "href": "#d02d38ef-2e86-4dcf-a894-b44ddb562b12", "rel": "reference" } ], @@ -5107,27 +5107,27 @@ "prose": "Encrypt `etcd` key-value store." }, { - "id": "CIS-1.2.33_rat", + "id": "CIS-1.2.33_rationale_statement", "name": "rationale_statement", "prose": "`etcd` is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures." }, { - "id": "CIS-1.2.33_imp", + "id": "CIS-1.2.33_impact_statement", "name": "impact_statement", "prose": "When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:\n\n- Secrets\n- ConfigMaps\n- Routes\n- OAuth access tokens\n- OAuth authorize tokens\n\nWhen you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup." }, { - "id": "CIS-1.2.33_rem", + "id": "CIS-1.2.33_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)" }, { - "id": "CIS-1.2.33_aud", + "id": "CIS-1.2.33_audit_procedure", "name": "audit_procedure", "prose": "OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. Keys are stored on the filesystem of the master and automatically rotated.\n\nFollow the steps in the documentation to encrypt the `etcd` datastore: Encrypting [etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)\n\nRun the following command to review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully encrypted:\n\n```\n# encrypt the etcd datastore\noc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.reason}{\"\\n\"}{.message}{\"\\n\"}'\n```\n\nThe output shows `EncryptionCompleted` upon successful encryption. \n\n- `EncryptionCompleted`\n- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io`\n\nIf the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again." }, { - "id": "CIS-1.2.33_ctl", + "id": "CIS-1.2.33_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -5190,7 +5190,7 @@ ], "links": [ { - "href": "#1acc4a3c-6834-4fb0-bae1-d743511159c0", + "href": "#9e782cd9-b388-4b72-ba8e-5ae74e2fc06f", "rel": "reference" } ], @@ -5201,27 +5201,27 @@ "prose": "Where `etcd` encryption is used, appropriate providers should be configured." }, { - "id": "CIS-1.2.34_rat", + "id": "CIS-1.2.34_rationale_statement", "name": "rationale_statement", "prose": "Where `etcd` encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the `aescbc`, `kms` and `secretbox` are likely to be appropriate options." }, { - "id": "CIS-1.2.34_imp", + "id": "CIS-1.2.34_impact_statement", "name": "impact_statement", "prose": "When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:\n\n- Secrets\n- ConfigMaps\n- Routes\n- OAuth access tokens\n- OAuth authorize tokens\n\nWhen you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup." }, { - "id": "CIS-1.2.34_rem", + "id": "CIS-1.2.34_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)" }, { - "id": "CIS-1.2.34_aud", + "id": "CIS-1.2.34_audit_procedure", "name": "audit_procedure", "prose": "OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. No other ciphers are supported. Keys are stored on the filesystem of the master and automatically rotated.\n\nRun the following command to review the Encrypted status condition for the OpenShift API server to verify that its resources were successfully encrypted:\n\n```\n# encrypt the etcd datastore \noc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.reason}{\"\\n\"}{.message}{\"\\n\"}'\n```\n\nThe output shows EncryptionCompleted upon successful encryption. \n\n- `EncryptionCompleted`\n- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io`\n\nIf the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again." }, { - "id": "CIS-1.2.34_ctl", + "id": "CIS-1.2.34_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -5284,7 +5284,7 @@ ], "links": [ { - "href": "#e75501a2-c5f6-42b0-8c4c-56220a7d5321", + "href": "#22b065f6-0a4a-4564-86a1-e6a050ebbcca", "rel": "reference" } ], @@ -5295,27 +5295,27 @@ "prose": "Ensure that the API server is configured to only use strong cryptographic ciphers." }, { - "id": "CIS-1.2.35_rat", + "id": "CIS-1.2.35_rationale_statement", "name": "rationale_statement", "prose": "TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided." }, { - "id": "CIS-1.2.35_imp", + "id": "CIS-1.2.35_impact_statement", "name": "impact_statement", "prose": "API server clients that cannot support the custom cryptographic ciphers will not be able to make connections to the API server." }, { - "id": "CIS-1.2.35_rem", + "id": "CIS-1.2.35_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the directions above and in the OpenShift documentation Configuring Ingress." }, { - "id": "CIS-1.2.35_aud", + "id": "CIS-1.2.35_audit_procedure", "name": "audit_procedure", "prose": "Ciphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types:\n\n- Old\n- Intermediate\n- Modern\n- Custom\n\nOnly the Old, Intermediate and Custom profiles are supported at this time. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress and the API server. [Ingress controller configuration parameters](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress)\n\nRun the following commands to verify the cipher suite and `minTLSversion` for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and `Kube APIserver`.\n\n```\n# verify cipher suites\noc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\\-0\\-config\\-system\\-cliconfig}' | jq .servingInfo\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\noc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\noc describe --namespace=openshift-ingress-operator ingresscontroller/default\n```\n\nVerify that the `tlsSecurityProfile` is set to the value you chose. \n\nNote: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2." }, { - "id": "CIS-1.2.35_ctl", + "id": "CIS-1.2.35_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;" } @@ -5393,7 +5393,7 @@ ], "links": [ { - "href": "#614f36e5-a5e7-4fd1-b212-97d46635ab05", + "href": "#e3a167bb-1cbd-4137-b983-f58504c4e56a", "rel": "reference" } ], @@ -5404,27 +5404,27 @@ "prose": "Activate garbage collector on pod termination, as appropriate." }, { - "id": "CIS-1.3.1_rat", + "id": "CIS-1.3.1_rationale_statement", "name": "rationale_statement", "prose": "Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection." }, { - "id": "CIS-1.3.1_imp", + "id": "CIS-1.3.1_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.3.1_rem", + "id": "CIS-1.3.1_remediation_procedure", "name": "remediation_procedure", "prose": "To configure, follow the directions in [Configuring garbage collection for containers and images](\nhttps://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring)" }, { - "id": "CIS-1.3.1_aud", + "id": "CIS-1.3.1_audit_procedure", "name": "audit_procedure", "prose": "Two types of garbage collection are performed on an OpenShift Container Platform node: \n\n- Container garbage collection: Removes terminated containers.\n- Image garbage collection: Removes images not referenced by any running pods.\n\nContainer garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. Default values are found here https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604\n\nThe OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a `kubeletConfig` object for each Machine Config Pool using any combination of the following:\n\n- soft eviction for containers\n- hard eviction for containers\n- eviction for images\n\nTo configure, follow the directions in \n\nhttps://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring\n\nTo verify settings, run the following command for each updated `configpool`\n\n```\noc get machineconfigpool\n\n# For each machineconfigpool\noc describe machineconfigpool \n\n#For example\noc describe machineconfigpool master\noc describe machineconfigpool worker\n```\n\nVerify the values for the following are set as appropriate.\n\n`eviction-soft`\n`evictionSoftGracePeriod`\n`evictionHard`\n`evictionPressureTransitionPeriod`" }, { - "id": "CIS-1.3.1_ctl", + "id": "CIS-1.3.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Enable Anti-Exploitation Features CONTROL:v8 10.5 DESCRIPTION:Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.;TITLE:Establish Secure Configurations CONTROL:v7 5.1 DESCRIPTION:Maintain documented, standard security configuration standards for all authorized operating systems and software.;" } @@ -5487,7 +5487,7 @@ ], "links": [ { - "href": "#a0cd76ba-5b3b-4ede-8ad4-82ef0e89da65", + "href": "#66d532eb-5316-4b56-9a65-2cb7a0905f7e", "rel": "reference" } ], @@ -5498,27 +5498,27 @@ "prose": "Disable profiling, if not needed." }, { - "id": "CIS-1.3.2_rat", + "id": "CIS-1.3.2_rationale_statement", "name": "rationale_statement", "prose": "Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface." }, { - "id": "CIS-1.3.2_imp", + "id": "CIS-1.3.2_impact_statement", "name": "impact_statement", "prose": "Profiling information would not be available." }, { - "id": "CIS-1.3.2_rem", + "id": "CIS-1.3.2_remediation_procedure", "name": "remediation_procedure", "prose": "None required; profiling is protected by RBAC." }, { - "id": "CIS-1.3.2_aud", + "id": "CIS-1.3.2_audit_procedure", "name": "audit_procedure", "prose": "By default, the Controller Manager operator exposes metrics via the metrics service. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. \n\nProfiling can not be disabled. \n\nTo verify the configuration, run the following command:\n\nRun the following command:\n\n```\n# Verify configuration for ports, livenessProbe, readinessProbe, healthz\noc -n openshift-kube-controller-manager get cm kube-controller-manager-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# Verify endpoints\noc -n openshift-kube-controller-manager describe endpoints\n\n# Test to validate RBAC enabled on the controller endpoint; check with non-admin role\noc project openshift-kube-controller-manager\n\nPOD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}')\n\nPORT=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].spec.containers[0].ports[0].hostPort}')\n\n# Following should return 403 Forbidden\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -k\n\n# Create a service account to test RBAC\noc create -n openshift-kube-controller-manager sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa -n openshift-kube-controller-manager get-token permission-test-sa)\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete -n openshift-kube-controller-manager sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the livenessProbe and readinessProbe are set to path: `healthz`.\n\nVerify that regular users cannot learn anything about the controller manager.\n\nVerify that users with the cluster_admin role can retrieve metrics from the endpoint." }, { - "id": "CIS-1.3.2_ctl", + "id": "CIS-1.3.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -5576,7 +5576,7 @@ ], "links": [ { - "href": "#9a07f228-1b6b-4d05-993e-b5dff8aa4d04", + "href": "#3505a93f-6a2a-47c9-b131-a82dff05e6bb", "rel": "reference" } ], @@ -5587,27 +5587,27 @@ "prose": "Use individual service account credentials for each controller." }, { - "id": "CIS-1.3.3_rat", + "id": "CIS-1.3.3_rationale_statement", "name": "rationale_statement", "prose": "The controller manager creates a service account per controller in the `kube-system` namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks." }, { - "id": "CIS-1.3.3_imp", + "id": "CIS-1.3.3_impact_statement", "name": "impact_statement", "prose": "Whatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the `kube-system` namespace automatically with default roles and `rolebindings` that are auto-reconciled on startup.\n\nIf using other authorization methods (ABAC, Webhook, etc), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles." }, { - "id": "CIS-1.3.3_rem", + "id": "CIS-1.3.3_remediation_procedure", "name": "remediation_procedure", "prose": "The OpenShift Controller Manager operator manages and updates the OpenShift Controller Manager. The Kubernetes Controller Manager operator manages and updates the [Kubernetes Controller Manager](https://github.com/kubernetes/kubernetes) deployed on top of [OpenShift](https://openshift.io/). This operator is configured via [KubeControllerManager](https://github.com/openshift/api/blob/master/operator/v1/types_kubecontrollermanager.go) custom resource." }, { - "id": "CIS-1.3.3_aud", + "id": "CIS-1.3.3_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift, `--use-service-account-credentials` is set to `true` by default for the Controller Manager. The bootstrap configuration and overrides are available here: \n\n[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml)\n\n[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml)\n\nRun the following command on the master node:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"use-service-account-credentials\"][]'\n```\n\nVerify that the `--use-service-account-credentials` argument is set to `true`." }, { - "id": "CIS-1.3.3_ctl", + "id": "CIS-1.3.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5665,7 +5665,7 @@ ], "links": [ { - "href": "#521c91ea-b8cd-4ba1-be26-99997ff62041", + "href": "#f9793b52-6b7b-4e7b-aae7-e19bbbc5fba4", "rel": "reference" } ], @@ -5676,27 +5676,27 @@ "prose": "Explicitly set a service account private key file for service accounts on the controller manager." }, { - "id": "CIS-1.3.4_rat", + "id": "CIS-1.3.4_rationale_statement", "name": "rationale_statement", "prose": "To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate." }, { - "id": "CIS-1.3.4_imp", + "id": "CIS-1.3.4_impact_statement", "name": "impact_statement", "prose": "You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy." }, { - "id": "CIS-1.3.4_rem", + "id": "CIS-1.3.4_remediation_procedure", "name": "remediation_procedure", "prose": "None required. OpenShift manages the service account credentials for the scheduler automatically." }, { - "id": "CIS-1.3.4_aud", + "id": "CIS-1.3.4_audit_procedure", "name": "audit_procedure", "prose": "OpenShift starts the Kubernetes Controller Manager with service-account-private-key-file set to `/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`. \n\nThe bootstrap configuration and overrides are available here: \n\n[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml)\n\n[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml)\n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"service-account-private-key-file\"][]'\n```\n\nVerify that the following is returned\n\n`/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`" }, { - "id": "CIS-1.3.4_ctl", + "id": "CIS-1.3.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5759,7 +5759,7 @@ ], "links": [ { - "href": "#3d3a74dc-9186-4da4-b7d9-54a31fdc4ee4", + "href": "#619a4bf8-1ef8-440e-8b2f-b8eae6ff3e56", "rel": "reference" } ], @@ -5770,27 +5770,27 @@ "prose": "Allow pods to verify the API server's serving certificate before establishing connections." }, { - "id": "CIS-1.3.5_rat", + "id": "CIS-1.3.5_rationale_statement", "name": "rationale_statement", "prose": "Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks.\n\nProviding the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server." }, { - "id": "CIS-1.3.5_imp", + "id": "CIS-1.3.5_impact_statement", "name": "impact_statement", "prose": "OpenShift clusters manage and maintain certificate authorities and certificates for cluster components." }, { - "id": "CIS-1.3.5_rem", + "id": "CIS-1.3.5_remediation_procedure", "name": "remediation_procedure", "prose": "None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform." }, { - "id": "CIS-1.3.5_aud", + "id": "CIS-1.3.5_audit_procedure", "name": "audit_procedure", "prose": "Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"root-ca-file\"][]'\n```\n\nVerify that the `--root-ca-file` argument exists and is set to `/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt`." }, { - "id": "CIS-1.3.5_ctl", + "id": "CIS-1.3.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5853,7 +5853,7 @@ ], "links": [ { - "href": "#bb301df3-f9dc-47db-bb2a-43cfac62bbd0", + "href": "#6023ef46-fe27-4793-93b7-ce98ced8c51f", "rel": "reference" } ], @@ -5864,27 +5864,27 @@ "prose": "Enable kubelet server certificate rotation on controller-manager." }, { - "id": "CIS-1.3.6_rat", + "id": "CIS-1.3.6_rationale_statement", "name": "rationale_statement", "prose": "`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." }, { - "id": "CIS-1.3.6_imp", + "id": "CIS-1.3.6_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.3.6_rem", + "id": "CIS-1.3.6_remediation_procedure", "name": "remediation_procedure", "prose": "None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform." }, { - "id": "CIS-1.3.6_aud", + "id": "CIS-1.3.6_audit_procedure", "name": "audit_procedure", "prose": "Certificates for the kubelet are automatically created and rotated by the OpenShift Container Platform. The kubelet is installed automatically on every RHCOS node. The OpenShift `kubelet-serving-CA` manages certificates for the kubelet. Kubelet certificates are automatically issued and rotated. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq -r '.extendedArguments[\"feature-gates\"][]'\n```\n\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`." }, { - "id": "CIS-1.3.6_ctl", + "id": "CIS-1.3.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -5947,7 +5947,7 @@ ], "links": [ { - "href": "#309dfb4c-b87f-4648-a2a4-52ecf44d4a80", + "href": "#6ebf3416-fb70-4668-877f-7b32f2b95156", "rel": "reference" } ], @@ -5958,27 +5958,27 @@ "prose": "Do not bind the Controller Manager service to non-loopback insecure addresses." }, { - "id": "CIS-1.3.7_rat", + "id": "CIS-1.3.7_rationale_statement", "name": "rationale_statement", "prose": "The Controller Manager API service which runs on port 10257/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface" }, { - "id": "CIS-1.3.7_imp", + "id": "CIS-1.3.7_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.3.7_rem", + "id": "CIS-1.3.7_remediation_procedure", "name": "remediation_procedure", "prose": "None required. The OpenShift operators configure this correctly." }, { - "id": "CIS-1.3.7_aud", + "id": "CIS-1.3.7_audit_procedure", "name": "audit_procedure", "prose": "The `bind-address` argument is not used. The `secure-port` argument is set to `10257`. The `insecure-port` argument is set to `0`. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq '.extendedArguments[\"secure-port\"][]'\n\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq '.extendedArguments[\"port\"][]'\n\n#Following should fail with a http code 403\nPOD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}')\n\noc rsh -n openshift-kube-controller-manager -c kube-controller-manager $POD curl https://localhost:10257/metrics -k\n```\n\nVerify that `secure-port` is set to `10257` and that `port` is set to `0`.\n\nVerify that attempt to access the controller manager metrics fails with a HTTP code 403." }, { - "id": "CIS-1.3.7_ctl", + "id": "CIS-1.3.7_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use of Secure Network Management and Communication Protocols  CONTROL:v8 12.6 DESCRIPTION:Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -6061,7 +6061,7 @@ ], "links": [ { - "href": "#47a3fd6b-b95a-434d-915d-71b5afe6540b", + "href": "#cbb79ba5-171a-4d74-b1c0-8320a2768d32", "rel": "reference" } ], @@ -6072,27 +6072,27 @@ "prose": "Disable profiling, if not needed." }, { - "id": "CIS-1.4.1_rat", + "id": "CIS-1.4.1_rationale_statement", "name": "rationale_statement", "prose": "Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface." }, { - "id": "CIS-1.4.1_imp", + "id": "CIS-1.4.1_impact_statement", "name": "impact_statement", "prose": "Profiling information would not be available." }, { - "id": "CIS-1.4.1_rem", + "id": "CIS-1.4.1_remediation_procedure", "name": "remediation_procedure", "prose": "A fix to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488\n\nNone required. Profiling is protected by RBAC and cannot be disabled." }, { - "id": "CIS-1.4.1_aud", + "id": "CIS-1.4.1_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`\n\nTo ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. \n\nTo verify the configuration, run the following command:\n\nRun the following command:\n\n```\n# check configuration for ports, livenessProbe, readinessProbe, healthz\n\noc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# Test to verify endpoints\n\noc -n openshift-kube-scheduler describe endpoints\n\nTest to validate RBAC enabled on the scheduler endpoint; check with non-admin role\n\noc project openshift-kube-scheduler\n\nPOD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')\n\nPORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')\n\n# Should return 403 Forbidden\noc rsh ${POD} curl http://localhost:${PORT}/metrics -k\n\n# Create a service account to test RBAC\noc create sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa get-token permission-test-sa)\n\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the livenessProbe and readinessProbe are set to path: `healthz`.\n\nVerify that only users with the `cluster_admi`n role can retrieve metrics from the endpoint.\n\nVerify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" }, { - "id": "CIS-1.4.1_ctl", + "id": "CIS-1.4.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -6155,7 +6155,7 @@ ], "links": [ { - "href": "#fe18577a-9838-40ad-8ea7-ca45972c4436", + "href": "#2ff045aa-73f4-4a43-847e-2800c9103fc5", "rel": "reference" } ], @@ -6166,27 +6166,27 @@ "prose": "Do not bind the scheduler service to non-loopback insecure addresses." }, { - "id": "CIS-1.4.2_rat", + "id": "CIS-1.4.2_rationale_statement", "name": "rationale_statement", "prose": "The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface" }, { - "id": "CIS-1.4.2_imp", + "id": "CIS-1.4.2_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-1.4.2_rem", + "id": "CIS-1.4.2_remediation_procedure", "name": "remediation_procedure", "prose": "By default, the `--bind-address` argument is not present, the readinessProbe and `livenessProbe` arguments are set to `10251` and the `port` argument is set to `0`.\n\nCheck the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" }, { - "id": "CIS-1.4.2_aud", + "id": "CIS-1.4.2_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`\n\nTo ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. \n\nThe bind-address argument is not used. Both authentication and authorization are in place.\n\nhttps://github.com/openshift/cluster-kube-scheduler-operator\n\nRun the following command:\n\n```\n# to verify endpoints\n\noc -n openshift-kube-scheduler describe endpoints\n\n# To verify that bind-adress is not used in the configuration and that port is set to 0\noc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# To test for RBAC: \noc project openshift-kube-scheduler\n\nPOD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')\n\nPOD_IP=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].status.podIP}')\n\nPORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')\n\n# Should return a 403\noc rsh ${POD} curl http://${POD_IP}:${PORT}/metrics\n\n# Create a service account to test RBAC\noc create sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa get-token permission-test-sa)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the --bind-address argument is not present and that `healthz` is bound to `port` `10251`.\n\nVerify that only users with the cluster_admin role can retrieve metrics from the endpoint.\n\nVerify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" }, { - "id": "CIS-1.4.2_ctl", + "id": "CIS-1.4.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v8 9.3 DESCRIPTION:Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -6271,7 +6271,7 @@ ], "links": [ { - "href": "#f5a5f692-9d11-4c31-a48a-eefeba268475", + "href": "#2f934076-115e-4a0e-a143-32b8ef9b6ac9", "rel": "reference" } ], @@ -6282,27 +6282,27 @@ "prose": "Configure TLS encryption for the `etcd` service." }, { - "id": "CIS-2.1_rat", + "id": "CIS-2.1_rationale_statement", "name": "rationale_statement", "prose": "`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit." }, { - "id": "CIS-2.1_imp", + "id": "CIS-2.1_impact_statement", "name": "impact_statement", "prose": "Client connections only over TLS would be served." }, { - "id": "CIS-2.1_rem", + "id": "CIS-2.1_remediation_procedure", "name": "remediation_procedure", "prose": "OpenShift does not use the `etcd-certfile` or `etcd-keyfil`e flags. Certificates for `etcd` are managed by the `etcd` cluster operator." }, { - "id": "CIS-2.1_aud", + "id": "CIS-2.1_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift generates these files and sets the arguments appropriately. OpenShift does not use the `etcd-certfile` or `etcd-keyfile` flags. \n\nKeys and certificates for control plane components like `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` are stored with their respective static pod configurations in the directory `/etc/kubernetes/static-pod-resources/*/secrets`. \n\nRun the following command:\n\n```\n\n# For --cert-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--cert-file=[^ ]*\\).*/\\1/'\ndone\n\n# For --key-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--key-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that cert-file and key-file values are returned for each etcd member.\n`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.crt`\n`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.key`\n\nFor example:\n\n`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.crt`\n`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.key`" }, { - "id": "CIS-2.1_ctl", + "id": "CIS-2.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -6365,7 +6365,7 @@ ], "links": [ { - "href": "#832774b2-5950-4e10-83d9-0f216679461e", + "href": "#04d99409-c5ca-4dca-b891-b54d04ea091c", "rel": "reference" } ], @@ -6376,27 +6376,27 @@ "prose": "Enable client authentication on etcd service." }, { - "id": "CIS-2.2_rat", + "id": "CIS-2.2_rationale_statement", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service." }, { - "id": "CIS-2.2_imp", + "id": "CIS-2.2_impact_statement", "name": "impact_statement", "prose": "All clients attempting to access the etcd server will require a valid client certificate." }, { - "id": "CIS-2.2_rem", + "id": "CIS-2.2_remediation_procedure", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.2_aud", + "id": "CIS-2.2_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift installation generates these files and sets the arguments appropriately. The following certificates are generated and used by etcd and other processes that communicate with etcd:\n\n- Client certificates: Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (`etcd-client`, `etcd-metric-client`, `etcd-metric-signer`, and `etcd-signer`) are added to the `openshift-config`, `openshift-monitoring`, and `openshift-kube-apiserver` namespaces.\n- Server certificates: Used by the etcd server for authenticating client requests.\n\nRun the following command on the etcd server node:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--client-cert-auth=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the `--client-cert-auth` argument is set to `true` for each etcd member." }, { - "id": "CIS-2.2_ctl", + "id": "CIS-2.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -6459,7 +6459,7 @@ ], "links": [ { - "href": "#a466cb1e-8796-4f5a-b1ac-989f33a2c7d9", + "href": "#99e79ffc-d5d4-4ad9-91c9-0115bfc0f6a2", "rel": "reference" } ], @@ -6470,27 +6470,27 @@ "prose": "Do not use self-signed certificates for TLS." }, { - "id": "CIS-2.3_rat", + "id": "CIS-2.3_rationale_statement", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service." }, { - "id": "CIS-2.3_imp", + "id": "CIS-2.3_impact_statement", "name": "impact_statement", "prose": "Clients will not be able to use self-signed certificates for TLS." }, { - "id": "CIS-2.3_rem", + "id": "CIS-2.3_remediation_procedure", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.3_aud", + "id": "CIS-2.3_audit_procedure", "name": "audit_procedure", "prose": "OpenShift configures etcd with secure communication. Openshift installs etcd as static pods on control plane nodes, and mounts the configuration files from /etc/etcd/ on the host. The `etcd.conf` file includes `auto-tls` configurations as referenced in `/etc/etcd/etcd.conf`. \n\nOpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. \n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n- Cluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\n# Returns 0 if found, 1 if not found\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; \\\n echo $?\ndone\n```\n\nVerify that 1 is returned for each etcd member." }, { - "id": "CIS-2.3_ctl", + "id": "CIS-2.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -6553,7 +6553,7 @@ ], "links": [ { - "href": "#af06202d-d39b-42b8-b4a7-930dea06a830", + "href": "#c480cf85-174b-4355-b88d-00671113c7a1", "rel": "reference" } ], @@ -6564,27 +6564,27 @@ "prose": "etcd should be configured to make use of TLS encryption for peer connections." }, { - "id": "CIS-2.4_rat", + "id": "CIS-2.4_rationale_statement", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters." }, { - "id": "CIS-2.4_imp", + "id": "CIS-2.4_impact_statement", "name": "impact_statement", "prose": "etcd cluster peers are set up TLS for their communication." }, { - "id": "CIS-2.4_rem", + "id": "CIS-2.4_remediation_procedure", "name": "remediation_procedure", "prose": "None. This configuration is managed by the etcd operator." }, { - "id": "CIS-2.4_aud", + "id": "CIS-2.4_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members.\n\nOpenshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-cert-file` and `peer-key-file` configurations as referenced in `/etc/etcd/etcd.conf`.\n\nRun the following command:\n\n```\n\n# For --peer-cert-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-cert-file=[^ ]*\\).*/\\1/'\ndone\n\n# For --peer-key-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-key-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the following is returned for each etcd member.\n`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.crt`\n`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.key`\n\nFor example\n`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.crt`\n`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.key`" }, { - "id": "CIS-2.4_ctl", + "id": "CIS-2.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -6647,7 +6647,7 @@ ], "links": [ { - "href": "#74fd0641-3cae-435f-9e7d-ce6dcbe02b8f", + "href": "#04062f96-b445-49e4-b38d-4951b110f77b", "rel": "reference" } ], @@ -6658,27 +6658,27 @@ "prose": "etcd should be configured for peer authentication." }, { - "id": "CIS-2.5_rat", + "id": "CIS-2.5_rationale_statement", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster." }, { - "id": "CIS-2.5_imp", + "id": "CIS-2.5_impact_statement", "name": "impact_statement", "prose": "All peers attempting to communicate with the etcd server require a valid client certificate for authentication." }, { - "id": "CIS-2.5_rem", + "id": "CIS-2.5_remediation_procedure", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.5_aud", + "id": "CIS-2.5_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members.\n\nOpenshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-client-cert-auth` configurations as referenced in `/etc/etcd/etcd.conf`. \n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-client-cert-auth=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the `--peer-client-cert-auth` argument is set to `true` for each etcd member." }, { - "id": "CIS-2.5_ctl", + "id": "CIS-2.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -6741,7 +6741,7 @@ ], "links": [ { - "href": "#4c66ba57-c10e-4697-a964-b046788fa4af", + "href": "#634f886c-c6f9-4d79-98fe-a68ec9ce12db", "rel": "reference" } ], @@ -6752,27 +6752,27 @@ "prose": "Do not use automatically generated self-signed certificates for TLS connections between peers." }, { - "id": "CIS-2.6_rat", + "id": "CIS-2.6_rationale_statement", "name": "rationale_statement", "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication." }, { - "id": "CIS-2.6_imp", + "id": "CIS-2.6_impact_statement", "name": "impact_statement", "prose": "All peers attempting to communicate with the etcd server require a valid client certificate for authentication." }, { - "id": "CIS-2.6_rem", + "id": "CIS-2.6_remediation_procedure", "name": "remediation_procedure", "prose": "This setting is managed by the cluster etcd operator. No remediation required." }, { - "id": "CIS-2.6_aud", + "id": "CIS-2.6_audit_procedure", "name": "audit_procedure", "prose": "OpenShift does not use the `--peer-auto-tls` argument. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that\n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n\nCluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\n# Returns 0 if found, 1 if not found\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; \\\n echo $?\ndone\n```\n\nVerify that 1 is returned for each etcd member." }, { - "id": "CIS-2.6_ctl", + "id": "CIS-2.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" } @@ -6835,7 +6835,7 @@ ], "links": [ { - "href": "#c88b42c3-268d-480d-be52-66741e503329", + "href": "#2363ce8b-2795-4ad8-b608-b705247cb6ab", "rel": "reference" } ], @@ -6846,27 +6846,27 @@ "prose": "Use a different certificate authority for etcd from the one used for Kubernetes." }, { - "id": "CIS-2.7_rat", + "id": "CIS-2.7_rationale_statement", "name": "rationale_statement", "prose": "etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. Its access should be restricted to specifically designated clients and peers only.\n\nAuthentication to etcd is based on whether the certificate presented was issued by a trusted certificate authority. There is no checking of certificate attributes such as common name or subject alternative name. As such, if any attackers were able to gain access to any certificate issued by the trusted certificate authority, they would be able to gain full access to the etcd database." }, { - "id": "CIS-2.7_imp", + "id": "CIS-2.7_impact_statement", "name": "impact_statement", "prose": "Additional management of the certificates and keys for the dedicated certificate authority will be required." }, { - "id": "CIS-2.7_rem", + "id": "CIS-2.7_remediation_procedure", "name": "remediation_procedure", "prose": "None required. Certificates for etcd are managed by the OpenShift cluster etcd operator." }, { - "id": "CIS-2.7_aud", + "id": "CIS-2.7_audit_procedure", "name": "audit_procedure", "prose": "OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. OpenShift uses a separate CA for etcd.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that\n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n\nCluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--trusted-ca-file=[^ ]*\\).*/\\1/'\ndone\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-trusted-ca-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that `--trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt` and `--peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt` are returned for each member." }, { - "id": "CIS-2.7_ctl", + "id": "CIS-2.7_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -6960,7 +6960,7 @@ ], "links": [ { - "href": "#01409ae6-b0ad-475f-bfa7-2ee62ec12645", + "href": "#8ebb9358-103a-43af-b4c2-e186afa69e70", "rel": "reference" } ], @@ -6968,30 +6968,30 @@ { "id": "CIS-3.1.1_smt", "name": "statement", - "prose": "Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose.\n\nIt is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication." + "prose": "Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication." }, { - "id": "CIS-3.1.1_rat", + "id": "CIS-3.1.1_rationale_statement", "name": "rationale_statement", "prose": "With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation." }, { - "id": "CIS-3.1.1_imp", + "id": "CIS-3.1.1_impact_statement", "name": "impact_statement", "prose": "External mechanisms for authentication generally require additional software to be deployed." }, { - "id": "CIS-3.1.1_rem", + "id": "CIS-3.1.1_remediation_procedure", "name": "remediation_procedure", "prose": "Configure an identity provider for the OpenShift cluster. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html). Once an identity provider has been defined, you can use RBAC to define and apply permissions. After you define an identity provider and create a new `cluster-admin` user, remove the `kubeadmin` user to improve cluster security." }, { - "id": "CIS-3.1.1_aud", + "id": "CIS-3.1.1_audit_procedure", "name": "audit_procedure", "prose": "For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. [Understanding authentication | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html)\n\nThe OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html)\n\nRun the following commands:\n\n```\n\n# To verify user authentication is enabled\noc describe authentication\n\n# To verify that an identity provider is configured\noc get identity\n\n# To verify that a custom cluster-admin user exists\noc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User\n\n# To verity that kbueadmin is removed, no results should be returned\noc get secrets kubeadmin -n kube-system\n```\n\nVerify that authentication is running. \n\nVerify that at least one identity provider is configured.\n\nVerify that at least one user has cluster-admin role. For example\n`NAME: cluster-admin-0` `ROLE: cluster-admin` `SUBJECT:*.kind User`\n\nVerify that the `kubeadmin` user no longer exists" }, { - "id": "CIS-3.1.1_ctl", + "id": "CIS-3.1.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;" } @@ -7067,7 +7067,7 @@ ], "links": [ { - "href": "#ab0d220b-f42a-43e2-8a48-2956d0bd259b", + "href": "#c2f5eee5-88b7-438f-9493-c5746ff68ce2", "rel": "reference" } ], @@ -7078,27 +7078,27 @@ "prose": "Kubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled." }, { - "id": "CIS-3.2.1_rat", + "id": "CIS-3.2.1_rationale_statement", "name": "rationale_statement", "prose": "Logging is an important detective control for all systems, to detect potential unauthorised access." }, { - "id": "CIS-3.2.1_imp", + "id": "CIS-3.2.1_impact_statement", "name": "impact_statement", "prose": "Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes." }, { - "id": "CIS-3.2.1_rem", + "id": "CIS-3.2.1_remediation_procedure", "name": "remediation_procedure", "prose": "No remediation required." }, { - "id": "CIS-3.2.1_aud", + "id": "CIS-3.2.1_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:\n\nThe request line containing:\n\nA Unique ID allowing to match the response line (see #2)\n- The source IP of the request\n- The HTTP method being invoked\n- The original user invoking the operation\n- The impersonated user for the operation (self meaning himself)\n- The impersonated group for the operation (lookup meaning user’s group)\n- The namespace of the request or \n- The URI as requested\n\nThe response line containing:\n- The unique ID from #1\n- The response code\n\nYou can view logs for the OpenShift Container Platform API server or the Kubernetes API server for each master node. Follow the steps in documentation. [Viewing the audit log](https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-nodes-audit-log-basic-viewing_nodes-nodes-audit-log)\n\n```\n\n#To view kube apiserver log files\noc adm node-logs --role=master --path=kube-apiserver/\n\n#To view openshift apiserver log files\noc adm node-logs --role=master --path=openshift-apiserver/\n\n#To verify kube apiserver audit config\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig[]'\n\n#To verify openshift apiserver audit config\noc get configmap config -n openshift-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig[]'\n```\n\nVerify that log files are returned. \n\nVerify the audit log configuration." }, { - "id": "CIS-3.2.1_ctl", + "id": "CIS-3.2.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Activate audit logging CONTROL:v7 6.2 DESCRIPTION:Ensure that local logging has been enabled on all systems and networking devices.;" } @@ -7161,7 +7161,7 @@ ], "links": [ { - "href": "#40c249f0-75cc-4bc0-a918-0bd941c7f119", + "href": "#86318b47-61fc-4f0e-ac04-fed8c9da28bd", "rel": "reference" } ], @@ -7172,27 +7172,27 @@ "prose": "Ensure that the audit policy created for the cluster covers key security concerns." }, { - "id": "CIS-3.2.2_rat", + "id": "CIS-3.2.2_rationale_statement", "name": "rationale_statement", "prose": "Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment." }, { - "id": "CIS-3.2.2_imp", + "id": "CIS-3.2.2_impact_statement", "name": "impact_statement", "prose": "Increasing audit logging will consume resources on the nodes or other log destinations." }, { - "id": "CIS-3.2.2_rem", + "id": "CIS-3.2.2_remediation_procedure", "name": "remediation_procedure", "prose": "In OpenShift 4.6 and higher, if appropriate for your needs, modify the audit policy." }, { - "id": "CIS-3.2.2_aud", + "id": "CIS-3.2.2_audit_procedure", "name": "audit_procedure", "prose": "Review the audit policy provided for the cluster and ensure that it covers at least the following areas:\n\n- Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.\n- Modification of pod and deployment objects.\n- Use of `pods/exec`, `pods/portforward`, `pods/proxy and services/proxy`.\n\nFor most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).\n\nAudit policy is supported as of OpenShift 4.6, but not in earlier versions. You can configure the audit feature to set log level, retention policy, and the type of events to log. You can set the log level settings for an overall component or the API server to one of the following. The setting can be different for each setting.\n\n```\n\n#To verify openshift apiserver audit config\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig.policyConfiguration.rules[]'\n\n#To verify kube apiserver audit config\noc get configmap config -n openshift-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig.policyConfiguration.rules[]'\n```" }, { - "id": "CIS-3.2.2_ctl", + "id": "CIS-3.2.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Enforce Detail Logging for Access or Changes to Sensitive Data CONTROL:v7 14.9 DESCRIPTION:Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).;TITLE:Enforce Detailed Audit Logging For Sensitive Information CONTROL:v6 14.6 DESCRIPTION:Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.;" } @@ -7295,7 +7295,7 @@ ], "links": [ { - "href": "#f9696bf0-c0b0-4185-bfb7-1e0ac9c8bbc2", + "href": "#5523abbc-69be-44aa-b8f0-0d7765282334", "rel": "reference" } ], @@ -7306,27 +7306,27 @@ "prose": "Ensure that the kubelet service file has permissions of 600 or more restrictive." }, { - "id": "CIS-4.1.1_rat", + "id": "CIS-4.1.1_rationale_statement", "name": "rationale_statement", "prose": "The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.1_imp", + "id": "CIS-4.1.1_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.1_rem", + "id": "CIS-4.1.1_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/systemd/system/kubelet.service\n```" }, { - "id": "CIS-4.1.1_aud", + "id": "CIS-4.1.1_audit_procedure", "name": "audit_procedure", "prose": "Kubelet is run as a `systemd` unit and its configuration file is created with `644` permissions.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the permissions are `600` or more restrictive." }, { - "id": "CIS-4.1.1_ctl", + "id": "CIS-4.1.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7389,7 +7389,7 @@ ], "links": [ { - "href": "#bcea46e5-4512-402a-adb9-e634398e12c7", + "href": "#5ee947fa-4977-45ef-9514-b79a9a6f8f3b", "rel": "reference" } ], @@ -7400,27 +7400,27 @@ "prose": "Ensure that the kubelet service file ownership is set to `root:root`." }, { - "id": "CIS-4.1.2_rat", + "id": "CIS-4.1.2_rationale_statement", "name": "rationale_statement", "prose": "The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.2_imp", + "id": "CIS-4.1.2_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.2_rem", + "id": "CIS-4.1.2_remediation_procedure", "name": "remediation_procedure", "prose": "By default, the kubelet service file has ownership of `root:root`." }, { - "id": "CIS-4.1.2_aud", + "id": "CIS-4.1.2_audit_procedure", "name": "audit_procedure", "prose": "Run the following command:\n\n```\n\n# Should return root:root for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.2_ctl", + "id": "CIS-4.1.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -7483,7 +7483,7 @@ ], "links": [ { - "href": "#3dd2d4d7-e7ef-48e3-af9e-65c0f98ce54e", + "href": "#5c7d8368-40e9-4cca-9c90-c8a1505f9eb8", "rel": "reference" } ], @@ -7494,27 +7494,27 @@ "prose": "If `kube-proxy` is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.3_rat", + "id": "CIS-4.1.3_rationale_statement", "name": "rationale_statement", "prose": "The `kube-proxy` kubeconfig file controls various parameters of the `kube-proxy` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\nIt is possible to run `kube-proxy` with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file." }, { - "id": "CIS-4.1.3_imp", + "id": "CIS-4.1.3_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.3_rem", + "id": "CIS-4.1.3_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\nchmod 600 /config/kube-proxy-config.yaml" }, { - "id": "CIS-4.1.3_aud", + "id": "CIS-4.1.3_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with `644` permissions.\n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname)\ndo\n oc exec -n openshift-sdn $i -- \\\n stat -Lc %a /config/kube-proxy-config.yaml\ndone\n```\n\nVerify that the `kube-proxy-config.yaml` file has permissions of `600`." }, { - "id": "CIS-4.1.3_ctl", + "id": "CIS-4.1.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7577,7 +7577,7 @@ ], "links": [ { - "href": "#5adc197e-0e49-4fb7-8515-f27bb0678df1", + "href": "#201ef3a5-b95c-4b95-9ca6-041cc45753f3", "rel": "reference" } ], @@ -7588,27 +7588,27 @@ "prose": "If `kube-proxy` is running, ensure that the file ownership of its kubeconfig file is set to `root:root`." }, { - "id": "CIS-4.1.4_rat", + "id": "CIS-4.1.4_rationale_statement", "name": "rationale_statement", "prose": "The kubeconfig file for `kube-proxy` controls various parameters for the `kube-proxy` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.4_imp", + "id": "CIS-4.1.4_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.4_rem", + "id": "CIS-4.1.4_remediation_procedure", "name": "remediation_procedure", "prose": "None required. The configuration is managed by OpenShift operators." }, { - "id": "CIS-4.1.4_aud", + "id": "CIS-4.1.4_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with root:root ownership. \n\nRun the following command:\n\n```\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname)\ndo\n oc exec -n openshift-sdn $i -- \\\n stat -Lc %U:%G /config/kube-proxy-config.yaml\ndone\n```\n\nVerify that the `kube-proxy-config.yaml` file has ownership root:root." }, { - "id": "CIS-4.1.4_ctl", + "id": "CIS-4.1.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -7671,7 +7671,7 @@ ], "links": [ { - "href": "#70faa058-f2af-4134-8837-af3f5f9feef3", + "href": "#2679f20e-d437-4fbd-94d3-9300deb20362", "rel": "reference" } ], @@ -7682,27 +7682,27 @@ "prose": "Ensure that the `kubelet.conf` file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.5_rat", + "id": "CIS-4.1.5_rationale_statement", "name": "rationale_statement", "prose": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.5_imp", + "id": "CIS-4.1.5_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.5_rem", + "id": "CIS-4.1.5_remediation_procedure", "name": "remediation_procedure", "prose": "run command:\n\n```\nchmod 600 /etc/kubernetes/kubelet.conf\n```" }, { - "id": "CIS-4.1.5_aud", + "id": "CIS-4.1.5_audit_procedure", "name": "audit_procedure", "prose": "The node's `kubeconfig` is created with `644` permissions. \n\nRun the following command:\n\n```\n# Check permissions\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/kubelet.conf\ndone\n```\n\nVerify that the permissions are `600`." }, { - "id": "CIS-4.1.5_ctl", + "id": "CIS-4.1.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7765,7 +7765,7 @@ ], "links": [ { - "href": "#fb86cf83-bb72-4429-bd81-49a8cf5ff14e", + "href": "#efb94d9e-c91c-4b0b-8201-aa94f6c582b2", "rel": "reference" } ], @@ -7776,27 +7776,27 @@ "prose": "Ensure that the `kubelet.conf` file ownership is set to `root:root`." }, { - "id": "CIS-4.1.6_rat", + "id": "CIS-4.1.6_rationale_statement", "name": "rationale_statement", "prose": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.6_imp", + "id": "CIS-4.1.6_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.6_rem", + "id": "CIS-4.1.6_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.6_aud", + "id": "CIS-4.1.6_audit_procedure", "name": "audit_procedure", "prose": "The node's `kubeconfig` is created with `root:root` ownership. \n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/kubelet.conf\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.6_ctl", + "id": "CIS-4.1.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -7859,7 +7859,7 @@ ], "links": [ { - "href": "#9ded8000-d42b-4a39-af87-bc6e28a796f3", + "href": "#119a992c-26bc-44e0-819f-c53616338a13", "rel": "reference" } ], @@ -7870,27 +7870,27 @@ "prose": "Ensure that the certificate authorities file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.7_rat", + "id": "CIS-4.1.7_rationale_statement", "name": "rationale_statement", "prose": "The certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.7_imp", + "id": "CIS-4.1.7_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.7_rem", + "id": "CIS-4.1.7_remediation_procedure", "name": "remediation_procedure", "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/cert/ca.pem\n```" }, { - "id": "CIS-4.1.7_aud", + "id": "CIS-4.1.7_audit_procedure", "name": "audit_procedure", "prose": "The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The \n`/etc/kubernetes/cert/kubelet-ca.crt` file has permissions `600`.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/cert/ca.pem\ndone\n```\n\nVerify that the permissions are `600`." }, { - "id": "CIS-4.1.7_ctl", + "id": "CIS-4.1.7_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -7953,7 +7953,7 @@ ], "links": [ { - "href": "#19499b83-fe98-4a2e-8493-c7210a52de61", + "href": "#472cc874-97ff-4a4c-81bd-a3b565232455", "rel": "reference" } ], @@ -7964,27 +7964,27 @@ "prose": "Ensure that the certificate authorities file ownership is set to `root:root`." }, { - "id": "CIS-4.1.8_rat", + "id": "CIS-4.1.8_rationale_statement", "name": "rationale_statement", "prose": "The certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.8_imp", + "id": "CIS-4.1.8_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.8_rem", + "id": "CIS-4.1.8_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.8_aud", + "id": "CIS-4.1.8_audit_procedure", "name": "audit_procedure", "prose": "The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The \n`/etc/kubernetes/kubelet-ca.crt` file has ownership `root:root`.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/ca.pem\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.8_ctl", + "id": "CIS-4.1.8_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -8047,7 +8047,7 @@ ], "links": [ { - "href": "#51257190-348d-45c4-995f-213482f31bda", + "href": "#cec3a4bf-70ae-4eeb-b412-a52803f2e0d6", "rel": "reference" } ], @@ -8058,27 +8058,27 @@ "prose": "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of `600` or more restrictive." }, { - "id": "CIS-4.1.9_rat", + "id": "CIS-4.1.9_rationale_statement", "name": "rationale_statement", "prose": "The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." }, { - "id": "CIS-4.1.9_imp", + "id": "CIS-4.1.9_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.9_rem", + "id": "CIS-4.1.9_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.9_aud", + "id": "CIS-4.1.9_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the `kublet.conf` file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/config.json` with file permissions set to `600`.\n\nRun the command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /var/lib/kubelet/config.json\ndone\n```\n\nVerify that the permissions are `600`." }, { - "id": "CIS-4.1.9_ctl", + "id": "CIS-4.1.9_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;TITLE:Minimize And Sparingly Use Administrative Privileges CONTROL:v6 5.1 DESCRIPTION:Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.;" } @@ -8141,7 +8141,7 @@ ], "links": [ { - "href": "#d50db4b8-bea1-4e87-b70c-2cefd530c90a", + "href": "#daac5ddf-fd89-4f90-acbe-3eaa4706cfb4", "rel": "reference" } ], @@ -8152,27 +8152,27 @@ "prose": "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by `root:root`." }, { - "id": "CIS-4.1.10_rat", + "id": "CIS-4.1.10_rationale_statement", "name": "rationale_statement", "prose": "The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by `root:root`." }, { - "id": "CIS-4.1.10_imp", + "id": "CIS-4.1.10_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.1.10_rem", + "id": "CIS-4.1.10_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.1.10_aud", + "id": "CIS-4.1.10_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/kubeconfig` with ownership set to `root:root`.\n\nRun the command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /var/lib/kubelet/config.json\ndone\n```\n\nVerify that the ownership is set to `root:root`." }, { - "id": "CIS-4.1.10_ctl", + "id": "CIS-4.1.10_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -8250,7 +8250,7 @@ ], "links": [ { - "href": "#4156bdf5-c46c-4799-a01c-c495a846073f", + "href": "#edffbd8c-2ca8-456c-8ff8-759a7e369a87", "rel": "reference" } ], @@ -8261,27 +8261,27 @@ "prose": "Disable anonymous requests to the Kubelet server." }, { - "id": "CIS-4.2.1_rat", + "id": "CIS-4.2.1_rationale_statement", "name": "rationale_statement", "prose": "When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests." }, { - "id": "CIS-4.2.1_imp", + "id": "CIS-4.2.1_impact_statement", "name": "impact_statement", "prose": "Anonymous requests will be rejected." }, { - "id": "CIS-4.2.1_rem", + "id": "CIS-4.2.1_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the instructions in the documentation to create a Kubelet config CRD and set the `anonymous-auth` is set to `false`." }, { - "id": "CIS-4.2.1_aud", + "id": "CIS-4.2.1_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator and `anonymous-auth` is set to `false` by default.\n\nRun the following command on each node:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep -B4 -A1 anonymous: /etc/systemd/system/kubelet.conf\ndone\n```\n\nVerify that the `anonymous-auth` argument is set to `false`." }, { - "id": "CIS-4.2.1_ctl", + "id": "CIS-4.2.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" } @@ -8339,7 +8339,7 @@ ], "links": [ { - "href": "#5e1c910a-8d1d-410e-8d7f-1d072a024fa0", + "href": "#97c4e51f-69c2-48d6-8f3c-4820ce812ae7", "rel": "reference" } ], @@ -8350,27 +8350,27 @@ "prose": "Do not allow all requests. Enable explicit authorization." }, { - "id": "CIS-4.2.2_rat", + "id": "CIS-4.2.2_rationale_statement", "name": "rationale_statement", "prose": "Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests." }, { - "id": "CIS-4.2.2_imp", + "id": "CIS-4.2.2_impact_statement", "name": "impact_statement", "prose": "Unauthorized requests will be denied." }, { - "id": "CIS-4.2.2_rem", + "id": "CIS-4.2.2_remediation_procedure", "name": "remediation_procedure", "prose": "None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes." }, { - "id": "CIS-4.2.2_aud", + "id": "CIS-4.2.2_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator. By default, Unauthenticated/Unauthorized users have no access to OpenShift nodes. Run the following command:\n\n```\n\n#In one terminal, run:\n oc proxy\n\n#Then in another terminal, run:\nfor name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}')\ndo \n curl -sS http://127.0.0.1:8080/api/v1/nodes/$name/proxy/configz | jq -r '.kubeletconfig.authorization.mode'\n done\n\n# Alternative without oc proxy\nPOD=$(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[0].metadata.name}')\n\nTOKEN=$(oc whoami -t)\n\nfor name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}')\ndo\n oc exec -n openshift-kube-apiserver $POD -- curl -sS https://172.25.0.1/api/v1/nodes/$name/proxy/configz -k -H \"Authorization: Bearer $TOKEN\" | jq -r '.kubeletconfig.authorization.mode'\ndone\n```\n\nVerify that access is not successful." }, { - "id": "CIS-4.2.2_ctl", + "id": "CIS-4.2.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -8428,7 +8428,7 @@ ], "links": [ { - "href": "#c408887a-6ee5-4cc9-b911-aa10de086da4", + "href": "#b0a79284-59f4-4b12-a7a4-b7fd73d32e36", "rel": "reference" } ], @@ -8439,27 +8439,27 @@ "prose": "Enable Kubelet authentication using certificates." }, { - "id": "CIS-4.2.3_rat", + "id": "CIS-4.2.3_rationale_statement", "name": "rationale_statement", "prose": "The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests." }, { - "id": "CIS-4.2.3_imp", + "id": "CIS-4.2.3_impact_statement", "name": "impact_statement", "prose": "You require TLS to be configured on apiserver as well as kubelets." }, { - "id": "CIS-4.2.3_rem", + "id": "CIS-4.2.3_remediation_procedure", "name": "remediation_procedure", "prose": "None required. Changing the `clientCAFile` value is unsupported." }, { - "id": "CIS-4.2.3_aud", + "id": "CIS-4.2.3_audit_procedure", "name": "audit_procedure", "prose": "OpenShift provides integrated management of certificates for internal cluster components. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. The Client CA location for the kubelet is defined in `/etc/kubernetes/kubelet.conf`. \n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep -B3 client-ca-file: /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the `clientCAFile` exists and is set to `/etc/kubernetes/kubelet-ca.crt`. The output should look like the following:\n\n```\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n x509:\n clientCAFile: /etc/kubernetes/kubelet-ca.crt\n```" }, { - "id": "CIS-4.2.3_ctl", + "id": "CIS-4.2.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" } @@ -8517,7 +8517,7 @@ ], "links": [ { - "href": "#0a57128d-4803-49f8-b086-2969ee569eb4", + "href": "#aad9d053-7481-4ef1-a443-dc6fe0aa3909", "rel": "reference" } ], @@ -8528,27 +8528,27 @@ "prose": "Disable the read-only port." }, { - "id": "CIS-4.2.4_rat", + "id": "CIS-4.2.4_rationale_statement", "name": "rationale_statement", "prose": "The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster." }, { - "id": "CIS-4.2.4_imp", + "id": "CIS-4.2.4_impact_statement", "name": "impact_statement", "prose": "Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API." }, { - "id": "CIS-4.2.4_rem", + "id": "CIS-4.2.4_remediation_procedure", "name": "remediation_procedure", "prose": "In earlier versions of OpenShift 4, the `read-only-port` argument is not used. \n\nFollow the instructions in the documentation to create a Kubelet config CRD and set the `--read-only-port` is set to `0`." }, { - "id": "CIS-4.2.4_aud", + "id": "CIS-4.2.4_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the kubelet is managed by the Machine Config Operator. The kubelet config file is found at `/etc/kubernetes/kubelet.conf`. OpenShift disables the read-only port (10255) on all nodes by setting the `read-only-port` kubelet flag to 0 by default in OpenShift 4.6 and above. In OpenShift 4.5 and earlier, the `read-only-port` argument is not used. \n\nRun the following command:\n\n```\n\noc -n openshift-kube-apiserver get cm kube-apiserver-pod -o yaml | grep --color read-only-port\n\noc -n openshift-kube-apiserver get cm config -o yaml | grep --color \"read-only-port”\n```\n\nFor OpenShift 4.5, verify that nothing is returned. Configuration information is available here: https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141\n\nFor OpenShift 4.6, verify that the `read-only-port` is set to `0`." }, { - "id": "CIS-4.2.4_ctl", + "id": "CIS-4.2.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -8606,7 +8606,7 @@ ], "links": [ { - "href": "#1eece71c-cc88-463f-9a39-465f737b31c5", + "href": "#25b0a20a-b36a-41b7-bd96-6fd4a7dfd325", "rel": "reference" } ], @@ -8617,27 +8617,27 @@ "prose": "Do not disable timeouts on streaming connections." }, { - "id": "CIS-4.2.5_rat", + "id": "CIS-4.2.5_rationale_statement", "name": "rationale_statement", "prose": "Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports. \n\n**Note:** By default, `--streaming-connection-idle-timeout` is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases." }, { - "id": "CIS-4.2.5_imp", + "id": "CIS-4.2.5_impact_statement", "name": "impact_statement", "prose": "Long-lived connections could be interrupted." }, { - "id": "CIS-4.2.5_rem", + "id": "CIS-4.2.5_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the instructions in the documentation to create a Kubelet config CRD and set the `--streaming-connection-idle-timeout` to the desired value. Do not set the value to `0`." }, { - "id": "CIS-4.2.5_aud", + "id": "CIS-4.2.5_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses the kubernetes default of 4 hours for the streaming-connection-idle-timeout argument. Unless the cluster administrator has added the value to the node configuration, the default will be used. The value is a timeout for HTTP streaming sessions going through a kubelet, like the port-forward, exec, or attach pod operations. The `streaming-connection-idle-timeout` should not be disabled by setting it to `zero`, but it can be lowered. Note that if the value is set too low, then users using those features may experience a service interruption due to the timeout. \n\nThe kubelet configuration is currently serialized as an ignition configuration, so it can be directly edited. However, there is also a new `kubelet-config-controller` added to the Machine Config Controller (MCC). This allows you to create a `KubeletConfig` custom resource (CR) to edit the kubelet parameters.\n\nRun the following command on each node:\n\n```\n\n# Should return 1 for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host ps -ef | grep kubelet | grep streaming-connection-idle-timeout\n echo $?\ndone\n\n# Should return 1 for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf\n echo $?\ndone\n```\n\nVerify that the `--streaming-connection-idle-timeout` argument is not set to `0`.\nIf the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to `0`." }, { - "id": "CIS-4.2.5_ctl", + "id": "CIS-4.2.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" } @@ -8695,7 +8695,7 @@ ], "links": [ { - "href": "#77ca7af9-cafc-406a-b735-b82415471bce", + "href": "#fcb2eff5-95e4-4f94-b1c0-7fd3d06d829a", "rel": "reference" } ], @@ -8706,27 +8706,27 @@ "prose": "Protect tuned kernel parameters from overriding kubelet default kernel parameter values." }, { - "id": "CIS-4.2.6_rat", + "id": "CIS-4.2.6_rationale_statement", "name": "rationale_statement", "prose": "Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior." }, { - "id": "CIS-4.2.6_imp", + "id": "CIS-4.2.6_impact_statement", "name": "impact_statement", "prose": "You would have to re-tune kernel parameters to match kubelet parameters." }, { - "id": "CIS-4.2.6_rem", + "id": "CIS-4.2.6_remediation_procedure", "name": "remediation_procedure", "prose": "None required. The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start." }, { - "id": "CIS-4.2.6_aud", + "id": "CIS-4.2.6_audit_procedure", "name": "audit_procedure", "prose": "The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start.\n\nRun the following command:\n\n```\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n```\n\nVerify that protectKernelDefaults is not present." }, { - "id": "CIS-4.2.6_ctl", + "id": "CIS-4.2.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Deploy Automated Operating System Patch Management Tools CONTROL:v7 3.4 DESCRIPTION:Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.;" } @@ -8784,7 +8784,7 @@ ], "links": [ { - "href": "#b2679e66-bd6f-4791-9b35-0b85d81e5139", + "href": "#576ebaa9-bb17-44ce-98cd-021442090ba2", "rel": "reference" } ], @@ -8795,27 +8795,27 @@ "prose": "Allow Kubelet to manage iptables." }, { - "id": "CIS-4.2.7_rat", + "id": "CIS-4.2.7_rationale_statement", "name": "rationale_statement", "prose": "Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open." }, { - "id": "CIS-4.2.7_imp", + "id": "CIS-4.2.7_impact_statement", "name": "impact_statement", "prose": "Kubelet would manage the iptables on the system and keep it in sync. If you are using any other iptables management solution, then there might be some conflicts." }, { - "id": "CIS-4.2.7_rem", + "id": "CIS-4.2.7_remediation_procedure", "name": "remediation_procedure", "prose": "None required. The `--make-iptables-util-chains` argument is set to true by default." }, { - "id": "CIS-4.2.7_aud", + "id": "CIS-4.2.7_audit_procedure", "name": "audit_procedure", "prose": "OpenShift sets the `make-iptables-util-changes` argument to true by default. \n\nRun the following command:\n\n```\n\n/bin/bash\nflag=make-iptables-util-chains\nopt=makeIPTablesUtilChains\n\n# look at each machineconfigpool\n\nwhile read -r pool nodeconfig; do\n # true by default\n value='true'\n # first look for the flag\n oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.systemd[][] | select(.name==\"kubelet.service\") | .contents' | sed -n \"/^ExecStart=/,/^\\$/ { /^\\\\s*--$flag=false/ q 100 }\"\n # if the above command exited with 100, the flag was false\n [ $? == 100 ] && value='false'\n # now look in the yaml KubeletConfig\n yamlconfig=$(oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.storage.files[] | select(.path==\"/etc/kubernetes/kubelet.conf\") | .contents.source ' | sed 's/^data:,//' | while read; do echo -e ${REPLY//%/\\\\x}; done)\n echo \"$yamlconfig\" | sed -n \"/^$opt:\\\\s*false\\\\s*$/ q 100\"\n [ $? == 100 ] && value='false'\n echo \"Pool $pool has $flag ($opt) set to $value\"\ndone < <(oc get machineconfigpools -o json | jq -r '.items[] | select(.status.machineCount>0) | .metadata.name + \" \" + .spec.configuration.name')\n```\n\nVerify the `--make-iptables-util-chains` argument is set to true for each `machinepool`. \n\nFor example:\n`Pool master has make-iptables-util-chains (makeIPTablesUtilChains) set to true`\n`Pool worker has make-iptables-util-chains (makeIPTablesUtilChains) set to true`" }, { - "id": "CIS-4.2.7_ctl", + "id": "CIS-4.2.7_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enforce Access Control to Data through Automated Tools CONTROL:v7 14.7 DESCRIPTION:Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system.;" } @@ -8873,7 +8873,7 @@ ], "links": [ { - "href": "#71a16eb1-f934-4738-8b8d-4ad9bcdf285b", + "href": "#df258d02-632c-46ba-b131-938998ac806f", "rel": "reference" } ], @@ -8884,27 +8884,27 @@ "prose": "Do not override node hostnames." }, { - "id": "CIS-4.2.8_rat", + "id": "CIS-4.2.8_rationale_statement", "name": "rationale_statement", "prose": "Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs." }, { - "id": "CIS-4.2.8_imp", + "id": "CIS-4.2.8_impact_statement", "name": "impact_statement", "prose": "Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply." }, { - "id": "CIS-4.2.8_rem", + "id": "CIS-4.2.8_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.2.8_aud", + "id": "CIS-4.2.8_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, the `--hostname-override` argument is not used. \n\nRun the following command on each machine pool. For example:\n\n```\noc get machineconfig 01-worker-kubelet -o yaml | grep hostname-override\noc get machineconfig 01-master-kubelet -o yaml | grep hostname-override\n```\n\nVerify that `--hostname-override` argument does not exist." }, { - "id": "CIS-4.2.8_ctl", + "id": "CIS-4.2.8_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use DNS Filtering Services CONTROL:v8 9.2 DESCRIPTION:Use DNS filtering services on all enterprise assets to block access to known malicious domains.;TITLE:Use of DNS Filtering Services CONTROL:v7 7.7 DESCRIPTION:Use DNS filtering services to help block access to known malicious domains.;" } @@ -8962,7 +8962,7 @@ ], "links": [ { - "href": "#b8ec980b-ad39-4593-81a2-3998c02a849f", + "href": "#1895214f-40e8-4615-b019-61940dfa98cd", "rel": "reference" } ], @@ -8973,27 +8973,27 @@ "prose": "Security relevant information should be captured. The `--event-qps` flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of `0` could result in a denial of service on the kubelet." }, { - "id": "CIS-4.2.9_rat", + "id": "CIS-4.2.9_rationale_statement", "name": "rationale_statement", "prose": "It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data." }, { - "id": "CIS-4.2.9_imp", + "id": "CIS-4.2.9_impact_statement", "name": "impact_statement", "prose": "Setting this parameter to `0` could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads." }, { - "id": "CIS-4.2.9_rem", + "id": "CIS-4.2.9_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the documentation to edit kubelet parameters\n\nhttps://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters\n\n```\nKubeAPIQPS: \n```" }, { - "id": "CIS-4.2.9_aud", + "id": "CIS-4.2.9_audit_procedure", "name": "audit_procedure", "prose": "OpenShift uses the `kubeAPIQPS` argument and sets it to a default value of `50`. When this value is set to > 0, event creations per second are limited to the value set. If this value is set to `0`, event creations per second are unlimited.\n\nRun the following command on each machine pool. For example:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n\noc get machineconfig 01-worker-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050\n\noc get machineconfig 01-master-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050\n```\n\nReview the value set for the `kubeAPIQPS` argument and determine whether this has been set to an appropriate level for the cluster. If this value is set to `0`, event creations per second are unlimited." }, { - "id": "CIS-4.2.9_ctl", + "id": "CIS-4.2.9_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Collect Detailed Audit Logs CONTROL:v8 8.5 DESCRIPTION:Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.;TITLE:Enable Command-line Audit Logging CONTROL:v7 8.8 DESCRIPTION:Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.;" } @@ -9051,7 +9051,7 @@ ], "links": [ { - "href": "#6686bf97-28d3-4b99-9e19-640474302bb1", + "href": "#f1854ab5-825d-4054-9a85-32e73db22296", "rel": "reference" } ], @@ -9062,27 +9062,27 @@ "prose": "Setup TLS connection on the Kubelets." }, { - "id": "CIS-4.2.10_rat", + "id": "CIS-4.2.10_rationale_statement", "name": "rationale_statement", "prose": "The connections from the `apiserver` to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the `apiserver` does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks." }, { - "id": "CIS-4.2.10_imp", + "id": "CIS-4.2.10_impact_statement", "name": "impact_statement", "prose": "TLS and client certificate authentication must be configured for your Kubernetes cluster deployment." }, { - "id": "CIS-4.2.10_rem", + "id": "CIS-4.2.10_remediation_procedure", "name": "remediation_procedure", "prose": "OpenShift automatically manages TLS authentication for the API server communication with the `node/kublet`. This is not configurable." }, { - "id": "CIS-4.2.10_aud", + "id": "CIS-4.2.10_audit_procedure", "name": "audit_procedure", "prose": "By default, OpenShift uses X.509 certificates to provide secure connections between the API server and `node/kubelet`. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform manages certificate rotation and the alerting framework has rules to help identify when a certificate issue is about to occur. \n\nRun the following command on each node:\n\n```\noc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data[\"config.yaml\"]' | jq '.kubeletClientInfo' \n```\n\nVerify that the `kubelet-client-certificate` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt`\n\nVerify that the `kubelet-client-key` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kublet-client/tls.key`" }, { - "id": "CIS-4.2.10_ctl", + "id": "CIS-4.2.10_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -9140,7 +9140,7 @@ ], "links": [ { - "href": "#2a5a9ff4-65f6-4eea-bfbd-56cb3a734454", + "href": "#ca0ebe3e-495e-4753-80a1-a9b809fe8fd1", "rel": "reference" } ], @@ -9151,27 +9151,27 @@ "prose": "Enable kubelet client certificate rotation." }, { - "id": "CIS-4.2.11_rat", + "id": "CIS-4.2.11_rationale_statement", "name": "rationale_statement", "prose": "The `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." }, { - "id": "CIS-4.2.11_imp", + "id": "CIS-4.2.11_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.2.11_rem", + "id": "CIS-4.2.11_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.2.11_aud", + "id": "CIS-4.2.11_audit_procedure", "name": "audit_procedure", "prose": "This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled. The feature gate is enabled by default.\n\nRun the following commands:\n\n```\n\n#Verify the rotateKubeletClientCertificate feature gate is not set to false\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host cat /etc/kubernetes/kubelet.conf | grep RotateKubeletClientCertificate\ndone\n\n# Verify the rotateCertificates argument is set to true\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf;\ndone\n```\n\nVerify that the `rotateKubeletClientCertificates` feature gate argument is not set to `false`.\n\nVerify that the `rotateCertificates` argument is set to `true`." }, { - "id": "CIS-4.2.11_ctl", + "id": "CIS-4.2.11_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -9229,7 +9229,7 @@ ], "links": [ { - "href": "#25e569d4-5013-4c28-8ac4-b42c658e5130", + "href": "#7fb3efc3-eb24-45a0-a08f-d321b903cd0d", "rel": "reference" } ], @@ -9240,27 +9240,27 @@ "prose": "Enable kubelet server certificate rotation." }, { - "id": "CIS-4.2.12_rat", + "id": "CIS-4.2.12_rationale_statement", "name": "rationale_statement", "prose": "`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." }, { - "id": "CIS-4.2.12_imp", + "id": "CIS-4.2.12_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-4.2.12_rem", + "id": "CIS-4.2.12_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-4.2.12_aud", + "id": "CIS-4.2.12_audit_procedure", "name": "audit_procedure", "prose": "Run the following command on each node:\n\n```\n\n#Verify the rotateKubeletServerCertificate feature gate is on \nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n\n# Verify the rotateCertificates argument is set to true\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf;\ndone\n```\n\nVerify that the `RotateKubeletServerCertificate` argument is set to `true`.\n\nVerify that the `rotateCertificates` argument is set to `true`" }, { - "id": "CIS-4.2.12_ctl", + "id": "CIS-4.2.12_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -9323,27 +9323,27 @@ "prose": "Ensure that the Kubelet is configured to only use strong cryptographic ciphers." }, { - "id": "CIS-4.2.13_rat", + "id": "CIS-4.2.13_rationale_statement", "name": "rationale_statement", "prose": "TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided." }, { - "id": "CIS-4.2.13_imp", + "id": "CIS-4.2.13_impact_statement", "name": "impact_statement", "prose": "Kubelet clients that cannot support modern cryptographic ciphers will not be able to make connections to the Kubelet API." }, { - "id": "CIS-4.2.13_rem", + "id": "CIS-4.2.13_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the directions above and in the OpenShift documentation to configure the `tlsSecurityProfile`. [Configuring Ingress](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress)" }, { - "id": "CIS-4.2.13_aud", + "id": "CIS-4.2.13_audit_procedure", "name": "audit_procedure", "prose": "The set of cryptographic ciphers currently considered secure is the following:\n\n```\n TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_GCM_SHA256\n```\n\nCiphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types:\n\n- Old\n- Intermediate\n- Modern\n- Custom\n\nOnly the Old, Intermediate and Custom profiles are supported at this time for the Ingress controller. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress, API server and Authentication. https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress\n\nRun the following commands to verify the cipher suite and minTLSversion for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and Kube APIserver.\n\n```\n# needs verification\n\n# verify cipher suites\noc describe --namespace=openshift-ingress-operator ingresscontroller/default\n\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\n\noc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\n\noc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\\-0\\-config\\-system\\-cliconfig}' | jq .servingInfo\n\n#check value for tlsSecurityProfile; null is returned if default is used\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.tlsSecurityProfile\n```\n\nVerify that the cipher suites are appropriate. \n\nVerify that the `tlsSecurityProfile` is set to the value you chose. \n\nNote: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2." }, { - "id": "CIS-4.2.13_ctl", + "id": "CIS-4.2.13_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;TITLE:Address unapproved software CONTROL:v7 2.6 DESCRIPTION:Ensure that unauthorized software is either removed or the inventory is updated in a timely manner;" } @@ -9439,7 +9439,7 @@ ], "links": [ { - "href": "#a7a6baf7-d860-4e6d-8678-968ffdee1e01", + "href": "#bcc08c26-c8b2-4455-85b6-e329fcd34a19", "rel": "reference" } ], @@ -9450,27 +9450,27 @@ "prose": "The RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where and when needed." }, { - "id": "CIS-5.1.1_rat", + "id": "CIS-5.1.1_rationale_statement", "name": "rationale_statement", "prose": "Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as `cluster-admin` provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as `cluster-admin` allow super-user access to perform any action on any resource. When used in a `ClusterRoleBinding`, it gives full control over every resource in the cluster and in all namespaces. When used in a `RoleBinding`, it gives full control over every resource in the rolebinding's namespace, including the namespace itself." }, { - "id": "CIS-5.1.1_imp", + "id": "CIS-5.1.1_impact_statement", "name": "impact_statement", "prose": "Care should be taken before removing any `clusterrolebindings` from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to `clusterrolebindings` with the `system:` prefix as they are required for the operation of system components." }, { - "id": "CIS-5.1.1_rem", + "id": "CIS-5.1.1_remediation_procedure", "name": "remediation_procedure", "prose": "Identify all `clusterrolebindings` to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.\n\nWhere possible, first bind users to a lower privileged role and then remove the `clusterrolebinding` to the cluster-admin role :\n\n```\noc delete clusterrolebinding [name]\n```" }, { - "id": "CIS-5.1.1_aud", + "id": "CIS-5.1.1_audit_procedure", "name": "audit_procedure", "prose": "OpenShift provides a set of default cluster roles that you can bind to users and groups cluster-wide or locally (per project namespace). Be mindful of the difference between local and cluster bindings. For example, if you bind the cluster-admin role to a user by using a local role binding, it might appear that this user has the privileges of a cluster administrator. This is not the case. Binding the cluster-admin to a user in a project grants super administrator privileges for only that project to the user. You can use the oc CLI to view cluster roles and bindings by using the oc describe command. For more information, see [Default Cluster Roles](https://docs.openshift.com/container-platform/4.4/authentication/using-rbac.html#default-roles_using-rbac)\n\nSome of these roles such as cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin allow super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.\n\nReview users and groups bound to cluster-admin and decide whether they require such access. Consider creating least-privilege roles for users and service accounts.\n\nObtain a list of the principals who have access to the cluster-admin role by reviewing the `clusterrolebinding` output for each role binding that has access to the cluster-admin role.\n\n```\n# needs verification\n\n# To get a list of users and service accounts with the cluster-admin role\noc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin\n\n# To verity that kbueadmin is removed, no results should be returned\noc get secrets kubeadmin -n kube-system\n```\n\nReview each principal listed and ensure that cluster-admin privilege is required for it.\n\nVerify that the kubeadmin user no longer exists." }, { - "id": "CIS-5.1.1_ctl", + "id": "CIS-5.1.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" } @@ -9538,27 +9538,27 @@ "prose": "The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation." }, { - "id": "CIS-5.1.2_rat", + "id": "CIS-5.1.2_rationale_statement", "name": "rationale_statement", "prose": "Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets." }, { - "id": "CIS-5.1.2_imp", + "id": "CIS-5.1.2_impact_statement", "name": "impact_statement", "prose": "Care should be taken not to remove access to secrets to system components which require this for their operation" }, { - "id": "CIS-5.1.2_rem", + "id": "CIS-5.1.2_remediation_procedure", "name": "remediation_procedure", "prose": "Where possible, remove `get`, `list` and `watch` access to `secret` objects in the cluster." }, { - "id": "CIS-5.1.2_aud", + "id": "CIS-5.1.2_audit_procedure", "name": "audit_procedure", "prose": "Review the users who have `get`, `list` or `watch` access to `secrets` objects in the Kubernetes API." }, { - "id": "CIS-5.1.2_ctl", + "id": "CIS-5.1.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.;" } @@ -9623,25 +9623,25 @@ { "id": "CIS-5.1.3_smt", "name": "statement", - "prose": "Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard \"*\" which matches all items. \n\nUse of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product." + "prose": "Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard \"*\" which matches all items. Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product." }, { - "id": "CIS-5.1.3_rat", + "id": "CIS-5.1.3_rationale_statement", "name": "rationale_statement", "prose": "The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API." }, { - "id": "CIS-5.1.3_rem", + "id": "CIS-5.1.3_remediation_procedure", "name": "remediation_procedure", "prose": "Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions." }, { - "id": "CIS-5.1.3_aud", + "id": "CIS-5.1.3_audit_procedure", "name": "audit_procedure", "prose": "Retrieve the roles defined across each namespaces in the cluster and review for wildcards\n\n```\n\noc get roles --all-namespaces -o yaml\n\nfor i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done\n```\n\nRetrieve the cluster roles defined in the cluster and review for wildcards\n\n```\noc get clusterroles -o yaml\n\nfor i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done\n```" }, { - "id": "CIS-5.1.3_ctl", + "id": "CIS-5.1.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;" } @@ -9706,30 +9706,30 @@ { "id": "CIS-5.1.4_smt", "name": "statement", - "prose": "The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access)\n\nAs such, access to create new pods should be restricted to the smallest possible group of users." + "prose": "The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access) As such, access to create new pods should be restricted to the smallest possible group of users." }, { - "id": "CIS-5.1.4_rat", + "id": "CIS-5.1.4_rationale_statement", "name": "rationale_statement", "prose": "The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible." }, { - "id": "CIS-5.1.4_imp", + "id": "CIS-5.1.4_impact_statement", "name": "impact_statement", "prose": "Care should be taken not to remove access to pods to system components which require this for their operation" }, { - "id": "CIS-5.1.4_rem", + "id": "CIS-5.1.4_remediation_procedure", "name": "remediation_procedure", "prose": "Where possible, remove `create` access to `pod` objects in the cluster." }, { - "id": "CIS-5.1.4_aud", + "id": "CIS-5.1.4_audit_procedure", "name": "audit_procedure", "prose": "Review the users who have create access to pod objects in the Kubernetes API." }, { - "id": "CIS-5.1.4_ctl", + "id": "CIS-5.1.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Allowlist Authorized Scripts CONTROL:v8 2.7 DESCRIPTION:Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -9792,7 +9792,7 @@ ], "links": [ { - "href": "#40ef7715-d34e-4299-b724-8db221ee316a", + "href": "#7529501b-33d5-4e34-9865-699bb66c1d07", "rel": "reference" } ], @@ -9803,27 +9803,27 @@ "prose": "The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed." }, { - "id": "CIS-5.1.5_rat", + "id": "CIS-5.1.5_rationale_statement", "name": "rationale_statement", "prose": "Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod.\n\nWhere access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.\n\nThe default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments." }, { - "id": "CIS-5.1.5_imp", + "id": "CIS-5.1.5_impact_statement", "name": "impact_statement", "prose": "All workloads which require access to the Kubernetes API will require an explicit service account to be created." }, { - "id": "CIS-5.1.5_rem", + "id": "CIS-5.1.5_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-5.1.5_aud", + "id": "CIS-5.1.5_audit_procedure", "name": "audit_procedure", "prose": "Every OpenShift project has its own service accounts. Every service account has an associated user name that can be granted roles, just like a regular user. The user name for each service account is derived from its project and the name of the service account. Service accounts are required in each project to run builds, deployments, and other pods. The default service accounts that are automatically created for each project are isolated by the project namespace." }, { - "id": "CIS-5.1.5_ctl", + "id": "CIS-5.1.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Disable Dormant Accounts CONTROL:v8 5.3 DESCRIPTION:Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.;TITLE:Disable Dormant Accounts CONTROL:v7 16.9 DESCRIPTION:Automatically disable dormant accounts after a set period of inactivity.;" } @@ -9886,7 +9886,7 @@ ], "links": [ { - "href": "#734acfa7-8bcf-41c6-a204-39f69a614757", + "href": "#a27b3a4a-2bad-49d8-af3f-78a1df9ae814", "rel": "reference" } ], @@ -9897,27 +9897,27 @@ "prose": "Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server" }, { - "id": "CIS-5.1.6_rat", + "id": "CIS-5.1.6_rationale_statement", "name": "rationale_statement", "prose": "Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.\n\nAvoiding mounting these tokens removes this attack avenue." }, { - "id": "CIS-5.1.6_imp", + "id": "CIS-5.1.6_impact_statement", "name": "impact_statement", "prose": "Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals." }, { - "id": "CIS-5.1.6_rem", + "id": "CIS-5.1.6_remediation_procedure", "name": "remediation_procedure", "prose": "Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it." }, { - "id": "CIS-5.1.6_aud", + "id": "CIS-5.1.6_audit_procedure", "name": "audit_procedure", "prose": "Review pod and service account objects in the cluster and ensure that the option below is set, unless the resource explicitly requires this access.\n\n```\nautomountServiceAccountToken: false\n```" }, { - "id": "CIS-5.1.6_ctl", + "id": "CIS-5.1.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.;" } @@ -10000,7 +10000,7 @@ ], "links": [ { - "href": "#a948d084-d975-48df-ae1d-7515cf8655ed", + "href": "#343e2a40-49b5-4238-b2de-39c5a421c84b", "rel": "reference" } ], @@ -10011,27 +10011,27 @@ "prose": "Do not generally permit containers to be run with the `securityContext.privileged` flag set to `true`." }, { - "id": "CIS-5.2.1_rat", + "id": "CIS-5.2.1_rationale_statement", "name": "rationale_statement", "prose": "Privileged containers have access to all Linux Kernel capabilities and devices. A container running with full privileges can do almost everything that the host can do. This flag exists to allow special use-cases, like manipulating the network stack and accessing devices.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit privileged containers.\n\nIf you need to run privileged containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.1_imp", + "id": "CIS-5.2.1_impact_statement", "name": "impact_statement", "prose": "Pods defined with `spec.containers[].securityContext.privileged: true` will not be permitted." }, { - "id": "CIS-5.2.1_rem", + "id": "CIS-5.2.1_remediation_procedure", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privileged` field is set to `false`." }, { - "id": "CIS-5.2.1_aud", + "id": "CIS-5.2.1_audit_procedure", "name": "audit_procedure", "prose": "The set of SCCs that admission uses to authorize a pod are determined by the user identity and groups that the user belongs to. Additionally, if the pod specifies a service account, the set of allowable SCCs includes any constraints accessible to the service account.\n\nAdmission uses the following approach to create the final security context for the pod:\n\n- Retrieve all SCCs available for use.\n- Generate field values for security context settings that were not specified on the request.\n- Validate the final settings against the available constraints.\n\nIf a matching set of constraints is found, then the pod is accepted. If the request cannot be matched to an SCC, the pod is rejected.\n\nA pod must validate every field against the SCC. \n\nGet the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether privileged is enabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Privileged\"; done\n```\n\nVerify that there is at least one SCC which does not have `Allow Privileged` set to `true`." }, { - "id": "CIS-5.2.1_ctl", + "id": "CIS-5.2.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -10094,7 +10094,7 @@ ], "links": [ { - "href": "#bdebcb0c-998e-4c8a-8286-4f8444ceb5eb", + "href": "#c6b36abb-ad36-4ca8-a53e-4d56cf82ef34", "rel": "reference" } ], @@ -10105,27 +10105,27 @@ "prose": "Do not generally permit containers to be run with the `hostPID` flag set to true." }, { - "id": "CIS-5.2.2_rat", + "id": "CIS-5.2.2_rationale_statement", "name": "rationale_statement", "prose": "A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host PID namespace.\n\nIf you need to run containers which require hostPID, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.2_imp", + "id": "CIS-5.2.2_impact_statement", "name": "impact_statement", "prose": "Pods defined with `Allow Host PID: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.2_rem", + "id": "CIS-5.2.2_remediation_procedure", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host PID` field is set to false." }, { - "id": "CIS-5.2.2_aud", + "id": "CIS-5.2.2_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether Allow Host PID is true:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host PID\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.2_ctl", + "id": "CIS-5.2.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10188,7 +10188,7 @@ ], "links": [ { - "href": "#d9172411-f615-4e9f-a4dc-808a5ee0d534", + "href": "#2b29a9f1-2454-4959-ad8b-3bb2f0ed9c98", "rel": "reference" } ], @@ -10199,27 +10199,27 @@ "prose": "Do not generally permit containers to be run with the `hostIPC` flag set to true." }, { - "id": "CIS-5.2.3_rat", + "id": "CIS-5.2.3_rationale_statement", "name": "rationale_statement", "prose": "A container running in the host's IPC namespace can use IPC to interact with processes outside the container.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host IPC namespace.\n\nIf you have a requirement to containers which require hostIPC, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.3_imp", + "id": "CIS-5.2.3_impact_statement", "name": "impact_statement", "prose": "Pods defined with `Allow Host IPC: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.3_rem", + "id": "CIS-5.2.3_remediation_procedure", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host IPC` field is set to `false`." }, { - "id": "CIS-5.2.3_aud", + "id": "CIS-5.2.3_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `Allow Host IPC` is enabled:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host IPC\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.3_ctl", + "id": "CIS-5.2.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.;" } @@ -10282,7 +10282,7 @@ ], "links": [ { - "href": "#1ad797e3-a3d5-40e1-8505-614c699bcb43", + "href": "#3135b679-9654-4b06-ad69-c68486cd9029", "rel": "reference" } ], @@ -10293,27 +10293,27 @@ "prose": "Do not generally permit containers to be run with the `hostNetwork` flag set to true." }, { - "id": "CIS-5.2.4_rat", + "id": "CIS-5.2.4_rationale_statement", "name": "rationale_statement", "prose": "A container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host network namespace.\n\nIf you have need to run containers which require hostNetwork, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.4_imp", + "id": "CIS-5.2.4_impact_statement", "name": "impact_statement", "prose": "Pods defined with `Allow Host Network: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.4_rem", + "id": "CIS-5.2.4_remediation_procedure", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host Network` field is omitted or set to `false`." }, { - "id": "CIS-5.2.4_aud", + "id": "CIS-5.2.4_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `Allow Host Network` is enabled:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host Network\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.4_ctl", + "id": "CIS-5.2.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Segment the Network Based on Sensitivity CONTROL:v7 14.1 DESCRIPTION:Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).;" } @@ -10376,7 +10376,7 @@ ], "links": [ { - "href": "#4e1d8c4f-1146-40cc-b369-427d9d159ad1", + "href": "#2b50adfc-1a99-4408-bc25-65a9be712705", "rel": "reference" } ], @@ -10387,27 +10387,27 @@ "prose": "Do not generally permit containers to be run with the `allowPrivilegeEscalation` flag set to `true`." }, { - "id": "CIS-5.2.5_rat", + "id": "CIS-5.2.5_rationale_statement", "name": "rationale_statement", "prose": "A container running with the `allowPrivilegeEscalation` flag set to `true` may have processes that can gain more privileges than their parent.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run.\n\nIf you have need to run containers which use setuid binaries or require privilege escalation, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.5_imp", + "id": "CIS-5.2.5_impact_statement", "name": "impact_statement", "prose": "Pods defined with `Allow Privilege Escalation: true` will not be permitted unless they are run under a specific SCC." }, { - "id": "CIS-5.2.5_rem", + "id": "CIS-5.2.5_remediation_procedure", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privilege Escalation` field is set to `false`." }, { - "id": "CIS-5.2.5_aud", + "id": "CIS-5.2.5_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether privileged is enabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Privilege Escalation\"; done\n```\n\nVerify that there is at least one SCC which does not return true." }, { - "id": "CIS-5.2.5_ctl", + "id": "CIS-5.2.5_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -10470,7 +10470,7 @@ ], "links": [ { - "href": "#d871d223-f64d-413a-a7ed-d8e32d56c318", + "href": "#02bd932b-86f2-40ea-b393-127c921dbb1b", "rel": "reference" } ], @@ -10481,27 +10481,27 @@ "prose": "Do not generally permit containers to be run as the root user." }, { - "id": "CIS-5.2.6_rat", + "id": "CIS-5.2.6_rationale_statement", "name": "rationale_statement", "prose": "Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have an escalated likelihood of container breakout.\n\nIdeally, all containers should run as a defined non-UID 0 user.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit root users in a container.\n\nIf you need to run root containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.6_imp", + "id": "CIS-5.2.6_impact_statement", "name": "impact_statement", "prose": "Pods with containers which run as the root user will not be permitted." }, { - "id": "CIS-5.2.6_rem", + "id": "CIS-5.2.6_remediation_procedure", "name": "remediation_procedure", "prose": "None required. By default, OpenShift includes the non-root SCC with the the `Run As User Strategy` is set to either `MustRunAsNonRoot`. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs." }, { - "id": "CIS-5.2.6_aud", + "id": "CIS-5.2.6_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether running containers as root is enabled:\n\n```\n# needs verification\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Run As User Strategy\"; done\n\n#For SCCs with MustRunAs verify that the range of UIDs does not include 0\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"\\sUID\"; done\n```\n\nVerify that there is at least one SCC which returns `MustRunAsNonRoot` or one SCC which returns `MustRunAs` with the range of UIDs not including 0." }, { - "id": "CIS-5.2.6_ctl", + "id": "CIS-5.2.6_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" } @@ -10564,7 +10564,7 @@ ], "links": [ { - "href": "#6f9b020d-b90e-4e4f-9581-a656e1a80216", + "href": "#bc77b6a9-1889-46db-b22f-75a7dc0ead87", "rel": "reference" } ], @@ -10575,27 +10575,27 @@ "prose": "Do not generally permit containers with the potentially dangerous NET_RAW capability." }, { - "id": "CIS-5.2.7_rat", + "id": "CIS-5.2.7_rationale_statement", "name": "rationale_statement", "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. By default this can include potentially dangerous capabilities. With Docker as the container runtime the NET_RAW capability is enabled which may be misused by malicious containers.\n\nIdeally, all containers should drop this capability.\n\nThere should be at least one Security Context Constraint (SCC) defined which prevents containers with the NET_RAW capability from launching.\n\nIf you need to run containers with this capability, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.7_imp", + "id": "CIS-5.2.7_impact_statement", "name": "impact_statement", "prose": "Pods with containers which run with the NET_RAW capability will not be permitted." }, { - "id": "CIS-5.2.7_rem", + "id": "CIS-5.2.7_remediation_procedure", "name": "remediation_procedure", "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Required Drop Capabilities` is set to include either `NET_RAW` or `ALL`." }, { - "id": "CIS-5.2.7_aud", + "id": "CIS-5.2.7_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `NET_RAW` is disabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Required Drop Capabilities\"; done\n```\n\nVerify that there is at least one SCC which returns `NET_RAW` or `ALL`." }, { - "id": "CIS-5.2.7_ctl", + "id": "CIS-5.2.7_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10658,7 +10658,7 @@ ], "links": [ { - "href": "#3fd49788-15e2-4948-9efe-6476e43153f9", + "href": "#07a1f737-1346-490e-be2b-542bcb5153c3", "rel": "reference" } ], @@ -10669,27 +10669,27 @@ "prose": "Do not generally permit containers with capabilities assigned beyond the default set." }, { - "id": "CIS-5.2.8_rat", + "id": "CIS-5.2.8_rationale_statement", "name": "rationale_statement", "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks.\n\nThere should be at least one Security Context Constraint (SCC) defined which prevents containers with capabilities beyond the default set from launching.\n\nIf you need to run containers with additional capabilities, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." }, { - "id": "CIS-5.2.8_imp", + "id": "CIS-5.2.8_impact_statement", "name": "impact_statement", "prose": "Pods with containers which require capabilities outside the default set will not be permitted." }, { - "id": "CIS-5.2.8_rem", + "id": "CIS-5.2.8_remediation_procedure", "name": "remediation_procedure", "prose": "Ensure that `Allowed Capabilities` is set to an empty array for every SCC in the cluster except for the `privileged` SCC." }, { - "id": "CIS-5.2.8_aud", + "id": "CIS-5.2.8_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check the values for `Allowed Capabilities`:\n\n```\n\noc describe scc | grep “Default Add Capabilities”\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allowed Capabilities\"; done\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Default Add Capabilities\"; done\n```\n\nMinimize the number of SCCs that have `Allowed Capabilities` set to anything other than an empty array.\n\nMinimize the number of SCCs that have `Default Add Capabilities` set to anything other than an empty array." }, { - "id": "CIS-5.2.8_ctl", + "id": "CIS-5.2.8_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10752,7 +10752,7 @@ ], "links": [ { - "href": "#5883459b-fe6c-4243-a28c-74542f102e6b", + "href": "#9abe2b7a-f6a4-4f9a-9e11-bcfe5036f2ac", "rel": "reference" } ], @@ -10763,27 +10763,27 @@ "prose": "Do not generally permit containers with capabilities" }, { - "id": "CIS-5.2.9_rat", + "id": "CIS-5.2.9_rationale_statement", "name": "rationale_statement", "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user.\n\nIn many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized." }, { - "id": "CIS-5.2.9_imp", + "id": "CIS-5.2.9_impact_statement", "name": "impact_statement", "prose": "Pods with containers which require capabilities to operate will not be permitted." }, { - "id": "CIS-5.2.9_rem", + "id": "CIS-5.2.9_remediation_procedure", "name": "remediation_procedure", "prose": "Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities." }, { - "id": "CIS-5.2.9_aud", + "id": "CIS-5.2.9_audit_procedure", "name": "audit_procedure", "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether capabilities have been forbidden:\n\n```\noc describe scc | grep “Required Drop Capabilities”\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Required Drop Capabilities\"; done\n```" }, { - "id": "CIS-5.2.9_ctl", + "id": "CIS-5.2.9_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -10859,7 +10859,7 @@ ], "links": [ { - "href": "#8a214a7c-1583-4195-bea0-27a40ff87310", + "href": "#de4f7379-b991-4a36-986c-775f51d15ce7", "rel": "reference" } ], @@ -10870,27 +10870,27 @@ "prose": "There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster." }, { - "id": "CIS-5.3.1_rat", + "id": "CIS-5.3.1_rationale_statement", "name": "rationale_statement", "prose": "Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies." }, { - "id": "CIS-5.3.1_imp", + "id": "CIS-5.3.1_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-5.3.1_rem", + "id": "CIS-5.3.1_remediation_procedure", "name": "remediation_procedure", "prose": "None required." }, { - "id": "CIS-5.3.1_aud", + "id": "CIS-5.3.1_audit_procedure", "name": "audit_procedure", "prose": "Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies.\n\nOpenShift Container Platform uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between Pods across the OpenShift Container Platform cluster. This Pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS). The OpenShift SDN uses Network Policies. The OpenShift SDN CNI plug-in provides all Kubernetes v1 NetworkPolicy features except for egress policy types and IPBlock. However, OpenShift provides means to implement fine grained filtering of egress traffic. OpenShift provides several options for controlling the traffic leaving the cluster. These options are :\n\n- Egress firewall\n- Egress routers\n- Egress static IP" }, { - "id": "CIS-5.3.1_ctl", + "id": "CIS-5.3.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.;" } @@ -10953,7 +10953,7 @@ ], "links": [ { - "href": "#f31c52ec-13fd-43f0-894e-ea44f1d89192", + "href": "#3956167d-c231-4fdf-9b5d-8f4523d33d96", "rel": "reference" } ], @@ -10964,27 +10964,27 @@ "prose": "Use network policies to isolate traffic in your cluster network." }, { - "id": "CIS-5.3.2_rat", + "id": "CIS-5.3.2_rationale_statement", "name": "rationale_statement", "prose": "Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints.\n\nOnce there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic" }, { - "id": "CIS-5.3.2_imp", + "id": "CIS-5.3.2_impact_statement", "name": "impact_statement", "prose": "Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic\"" }, { - "id": "CIS-5.3.2_rem", + "id": "CIS-5.3.2_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the documentation and create `NetworkPolicy` objects as you need them." }, { - "id": "CIS-5.3.2_aud", + "id": "CIS-5.3.2_audit_procedure", "name": "audit_procedure", "prose": "The OpenShift 4 CNI plugin uses network policies and by default all Pods in a project are accessible from other Pods and network endpoints. To isolate one or more Pods in a project, you create NetworkPolicy objects in that project to indicate the allowed incoming connections. Project administrators can create and delete NetworkPolicy objects within their own project. For more information see: \n\nRun the following command and review the `NetworkPolicy` objects created in the cluster.\n\n```\noc -n all get networkpolicy\n```\n\nEnsure that each namespace defined in the cluster has at least one Network Policy." }, { - "id": "CIS-5.3.2_ctl", + "id": "CIS-5.3.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enable Firewall Filtering Between VLANs CONTROL:v7 14.2 DESCRIPTION:Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.;" } @@ -11060,7 +11060,7 @@ ], "links": [ { - "href": "#22c05cd2-11a1-4406-aad3-c2fe508895bc", + "href": "#8d22ae4e-39b2-4a2d-b875-f3f7c340b70a", "rel": "reference" } ], @@ -11071,27 +11071,27 @@ "prose": "Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets." }, { - "id": "CIS-5.4.1_rat", + "id": "CIS-5.4.1_rationale_statement", "name": "rationale_statement", "prose": "It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs." }, { - "id": "CIS-5.4.1_imp", + "id": "CIS-5.4.1_impact_statement", "name": "impact_statement", "prose": "Application code which expects to read secrets in the form of environment variables would need modification" }, { - "id": "CIS-5.4.1_rem", + "id": "CIS-5.4.1_remediation_procedure", "name": "remediation_procedure", "prose": "If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables." }, { - "id": "CIS-5.4.1_aud", + "id": "CIS-5.4.1_audit_procedure", "name": "audit_procedure", "prose": "Information about ways to provide sensitive data to pods is included in the documentation. \n[Providing sensitive data to pods](https://docs.openshift.com/container-platform/4.5/nodes/pods/nodes-pods-secrets.html)\nRun the following command to find references to objects which use environment variables defined from secrets.\n\n```\noc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {\"\\n\"}{end}' -A\n```" }, { - "id": "CIS-5.4.1_ctl", + "id": "CIS-5.4.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" } @@ -11159,27 +11159,27 @@ "prose": "Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets." }, { - "id": "CIS-5.4.2_rat", + "id": "CIS-5.4.2_rationale_statement", "name": "rationale_statement", "prose": "Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments." }, { - "id": "CIS-5.4.2_imp", + "id": "CIS-5.4.2_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-5.4.2_rem", + "id": "CIS-5.4.2_remediation_procedure", "name": "remediation_procedure", "prose": "Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution." }, { - "id": "CIS-5.4.2_aud", + "id": "CIS-5.4.2_audit_procedure", "name": "audit_procedure", "prose": "OpenShift supports a broad ecosystem of security partners many of whom provide integration with enterprise secret vaults.\n\nReview your secrets management implementation." }, { - "id": "CIS-5.4.2_ctl", + "id": "CIS-5.4.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;" } @@ -11255,7 +11255,7 @@ ], "links": [ { - "href": "#27d3deca-2b7d-4f56-9076-5f9bfd37d4fc", + "href": "#3bbb424e-c219-459e-95e5-0ddc1060db7c", "rel": "reference" } ], @@ -11266,27 +11266,27 @@ "prose": "Configure Image Provenance for your deployment." }, { - "id": "CIS-5.5.1_rat", + "id": "CIS-5.5.1_rationale_statement", "name": "rationale_statement", "prose": "Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster.\n\nYou can control which images can be imported, tagged, and run in a cluster using the image controller. For additional information on the image controller, see [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html)" }, { - "id": "CIS-5.5.1_imp", + "id": "CIS-5.5.1_impact_statement", "name": "impact_statement", "prose": "You need to regularly maintain your provenance configuration based on container image updates." }, { - "id": "CIS-5.5.1_rem", + "id": "CIS-5.5.1_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html" }, { - "id": "CIS-5.5.1_aud", + "id": "CIS-5.5.1_audit_procedure", "name": "audit_procedure", "prose": "Review the image controller parameters in your cluster and verify that image provenance is configured as appropriate." }, { - "id": "CIS-5.5.1_ctl", + "id": "CIS-5.5.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Deploy System Configuration Management Tools CONTROL:v7 5.4 DESCRIPTION:Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.;" } @@ -11369,7 +11369,7 @@ ], "links": [ { - "href": "#857442a9-20c5-4df5-b2f2-b5f949c5d418", + "href": "#85b3d0bd-5a26-4094-b401-20276530da42", "rel": "reference" } ], @@ -11380,27 +11380,27 @@ "prose": "Use namespaces to isolate your Kubernetes objects." }, { - "id": "CIS-5.7.1_rat", + "id": "CIS-5.7.1_rationale_statement", "name": "rationale_statement", "prose": "Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called `default`. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users." }, { - "id": "CIS-5.7.1_imp", + "id": "CIS-5.7.1_impact_statement", "name": "impact_statement", "prose": "You need to switch between namespaces for administration." }, { - "id": "CIS-5.7.1_rem", + "id": "CIS-5.7.1_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the documentation and create namespaces for objects in your deployment as you need them." }, { - "id": "CIS-5.7.1_aud", + "id": "CIS-5.7.1_audit_procedure", "name": "audit_procedure", "prose": "OpenShift Projects wrap Kubernetes namespaces and are used by default in OpenShift 4. \n\nRun the following command and review the namespaces created in the cluster.\n\n```\noc get namespaces\n```\n\nEnsure that these namespaces are the ones you need and are adequately administered as per your requirements." }, { - "id": "CIS-5.7.1_ctl", + "id": "CIS-5.7.1_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.;" } @@ -11463,7 +11463,7 @@ ], "links": [ { - "href": "#684b6ec6-91ef-431f-bf05-19c5ba144746", + "href": "#58a34685-46ae-4842-8a99-f49445402b36", "rel": "reference" } ], @@ -11474,27 +11474,27 @@ "prose": "Enable `default` seccomp profile in your pod definitions." }, { - "id": "CIS-5.7.2_rat", + "id": "CIS-5.7.2_rationale_statement", "name": "rationale_statement", "prose": "Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container." }, { - "id": "CIS-5.7.2_imp", + "id": "CIS-5.7.2_impact_statement", "name": "impact_statement", "prose": "If the `default` seccomp profile is too restrictive for you, you will need to create and manage your own seccomp profiles." }, { - "id": "CIS-5.7.2_rem", + "id": "CIS-5.7.2_remediation_procedure", "name": "remediation_procedure", "prose": "To enable the `default` seccomp profile, use the reserved value `/runtime/default` that will make sure that the pod uses the default policy available on the host." }, { - "id": "CIS-5.7.2_aud", + "id": "CIS-5.7.2_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift 4, CRI-O is the supported runtime. CRI-O runs unconfined by default in order to meet CRI conformance criteria. \n\nOn RHEL CoreOS, the default seccomp policy is associated with CRI-O and stored in `/etc/crio/seccomp.json`. The default profile is applied when the user asks for the runtime/default profile via annotation to the pod and when the associated SCC allows use of the specified seccomp profile. \n\nConfiguration of allowable seccomp profiles is managed through OpenShift Security Context Constraints." }, { - "id": "CIS-5.7.2_ctl", + "id": "CIS-5.7.2_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" } @@ -11557,7 +11557,7 @@ ], "links": [ { - "href": "#3642ea59-a333-48b5-a365-3749ad5ffe0a", + "href": "#5aa56099-0a8b-4495-8824-4ac8a6ddc6f6", "rel": "reference" } ], @@ -11568,27 +11568,27 @@ "prose": "Apply Security Context to Your Pods and Containers" }, { - "id": "CIS-5.7.3_rat", + "id": "CIS-5.7.3_rationale_statement", "name": "rationale_statement", "prose": "A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context." }, { - "id": "CIS-5.7.3_imp", + "id": "CIS-5.7.3_impact_statement", "name": "impact_statement", "prose": "If you incorrectly apply security contexts, you may have trouble running the pods." }, { - "id": "CIS-5.7.3_rem", + "id": "CIS-5.7.3_remediation_procedure", "name": "remediation_procedure", "prose": "Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers." }, { - "id": "CIS-5.7.3_aud", + "id": "CIS-5.7.3_audit_procedure", "name": "audit_procedure", "prose": "Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate.\n\nOpenShift's Security Context Constraint feature is on by default in OpenShift 4 and applied to all pods deployed. SCC selection is determined by a combination of the values in the securityContext and the rolebindings for the account deploying the pod." }, { - "id": "CIS-5.7.3_ctl", + "id": "CIS-5.7.3_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies CONTROL:v7 8.3 DESCRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.;" } @@ -11656,27 +11656,27 @@ "prose": "Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult." }, { - "id": "CIS-5.7.4_rat", + "id": "CIS-5.7.4_rationale_statement", "name": "rationale_statement", "prose": "Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources." }, { - "id": "CIS-5.7.4_imp", + "id": "CIS-5.7.4_impact_statement", "name": "impact_statement", "prose": "None" }, { - "id": "CIS-5.7.4_rem", + "id": "CIS-5.7.4_remediation_procedure", "name": "remediation_procedure", "prose": "Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace." }, { - "id": "CIS-5.7.4_aud", + "id": "CIS-5.7.4_audit_procedure", "name": "audit_procedure", "prose": "In OpenShift, projects (namespaces) are used to group and isolate related objects. When a request is made to create a new project using the web console or oc new-project command, an endpoint in OpenShift Container Platform is used to provision the project according to a template, which can be customized. \n\nThe cluster administrator can allow and configure how developers and service accounts can create, or self-provision, their own projects. Regular users do not have access to the default project. \n\nProjects starting with openshift- and kube- host cluster components that run as Pods and other infrastructure components. As such, OpenShift does not allow you to create Projects starting with openshift- or kube- using the oc new-project command.\n\nFor more information, see \n[Working with projects](https://docs.openshift.com/container-platform/4.4/applications/projects/working-with-projects.html) and \n[Configuring project creation](https://docs.openshift.com/containerplatform/4.4/applications/projects/configuring-project-creation.html)\n\nRun this command to list objects in default namespace\n\n```\noc project default\noc get all \n```\n\nThe only entries there should be system managed resources such as the `kubernetes` and `openshift` service" }, { - "id": "CIS-5.7.4_ctl", + "id": "CIS-5.7.4_CIS_Controls", "name": "CIS_Controls", "prose": "TITLE:Configure Trusted DNS Servers on Enterprise Assets CONTROL:v8 4.9 DESCRIPTION:Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. ;TITLE:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers CONTROL:v7 5 DESCRIPTION:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers;" } @@ -11690,467 +11690,467 @@ "back-matter": { "resources": [ { - "uuid": "8bb677a7-7b91-4f77-b721-85c544770893", + "uuid": "4fa8c2d3-6b4c-428a-a0bb-5e25f4bed301", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "b4771c7c-b878-40ac-9e05-21476d348568", + "uuid": "a17d309e-222a-44a5-b2df-e0239742208d", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "b06b95e2-d73e-4e4d-a334-ae863bdd80d2", + "uuid": "f7f556ab-234b-4a8a-a2ca-fec600e826de", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "4d949458-3dce-4886-bcae-e8927b7f6b5b", + "uuid": "005c3423-193e-4db8-9ea4-a4535d6615dd", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "b926b009-736f-4256-aba4-f00d92a4250f", + "uuid": "17caf35a-2d76-4359-8ff9-dc3b12f2a874", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" }, { - "uuid": "c0701093-fab7-42c3-920c-93a01dcfeb2d", + "uuid": "ba265dc2-094e-48d5-a15a-8b982fb6d579", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" }, { - "uuid": "822f1e30-a21f-4cff-9c9d-5065b8f675b7", + "uuid": "a66fe000-f5f1-4fe8-b67f-f2260dd22875", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "e45552c2-8d5b-4d42-823f-0ddfed828273", + "uuid": "d14ae650-3329-416b-9a3b-bea168fe3742", "description": "https://coreos.com/etcd:https://kubernetes.io/docs/admin/etcd/:https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane" }, { - "uuid": "ccaed7c9-7ce1-412a-aae5-cb53e37cc0c8", + "uuid": "5864249f-943b-4f1c-9a21-2a0a42e92dea", "description": "https://docs.openshift.com/container-platform/4.3/networking/cluster-network-operator.html:https://kubernetes.io/docs/concepts/cluster-administration/networking/" }, { - "uuid": "8d4d808e-99b0-4181-815f-2a7b03e311f7", + "uuid": "b679d699-ad77-45c7-9ed4-454a836b1031", "description": "https://docs.openshift.com/container-platform/4.3/networking/cluster-network-operator.html:https://kubernetes.io/docs/concepts/cluster-administration/networking/" }, { - "uuid": "57b03bf4-abef-4ffb-a8d5-83dd1e32a84f", + "uuid": "1436e335-5bdc-4339-aa7e-ded1e56b015c", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://etcd.io/#data-dir:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "4ed24380-ff84-471a-b732-d190144e9be3", + "uuid": "28d31254-ad8d-47c5-a102-594b3db49a4c", "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://etcd.io/#data-dir:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "ccba75f5-d463-4f61-ab24-1dfce255d5b1", + "uuid": "5872a0ff-2aea-4191-a31b-d914bdc46ca5", "description": "https://docs.openshift.com/container-platform/4.5/cli_reference/openshift_cli/administrator-cli-commands.html:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/" }, { - "uuid": "bf6f8fc1-5d6e-446f-b940-9c57455bf385", + "uuid": "4213a185-9ecd-4449-bc5b-69e70d993a1e", "description": "https://docs.openshift.com/container-platform/4.5/cli_reference/openshift_cli/administrator-cli-commands.html:https://kubernetes.io/docs/reference/setup-tools/kubeadm/" }, { - "uuid": "d83510f0-b3e0-44c8-b5ce-afc0e3e9e354", + "uuid": "57aa304b-00fa-4232-9256-0fd8759f895b", "description": "https://docs.openshift.com/container-platform/4.4/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/" }, { - "uuid": "9a47b7f3-e65f-4360-9f45-19abd0dba25e", + "uuid": "b85602ea-e0f6-4269-b0cd-127ca71aad50", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/" }, { - "uuid": "9d1e9d7b-0070-4ea3-b936-834b27599247", + "uuid": "fe348e22-27d2-4571-b80d-8c70585a573b", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "39961bf3-de5a-4a00-8f57-992bbd76603d", + "uuid": "7d91ba62-6f3b-4d8e-8fc0-ff364ee9698f", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "ad2c2f55-a868-4b54-89a3-91c6e696d0a1", + "uuid": "dae88d42-4bb1-40c1-922b-b85f28d0e6a5", "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "4e53b8bd-7316-4f14-b5c9-168e07180cdb", + "uuid": "815280f3-e7fc-476b-a501-d0634af3a099", "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "932cfadc-2331-45f9-af63-1a7a3f70bbd6", + "uuid": "12f8aefa-7fd0-459f-9adb-8728606d9264", "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "5e30ec9b-cd6f-425d-a5f2-bc82a9e0625c", + "uuid": "b9d562c5-133b-4668-9fc7-4a7282729362", "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests" }, { - "uuid": "5cb2cbe2-e79d-4337-838a-b2e201c9e20b", + "uuid": "c21de945-e1d8-46eb-a6f0-4b2d39647126", "description": "https://docs.openshift.com/container-platform/4.5/authentication/configuring-internal-oauth.html:https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-password-file" }, { - "uuid": "02c37c6e-28ff-43aa-8f5c-c45a685d2e7f", + "uuid": "c8cac56e-c95a-492c-b4b4-96029b3d386d", "description": "https://docs.openshift.com/container-platform/4.5/authentication/configuring-internal-oauth.html:https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "47a40e2f-7b0b-422c-99ae-9e609728aebf", + "uuid": "211f6ba7-c1d1-4752-8760-fd0275037356", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L12-L13:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L94-L98:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/" }, { - "uuid": "1f36f919-5055-47bb-8de3-dc71e2e920bd", + "uuid": "02acf696-664a-4db1-806b-9e3bf6fefc09", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L12-L13:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L94-L98:https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/:https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/" }, { - "uuid": "0f84e4ba-df36-47fc-aa37-b4e7ecc36aa4", + "uuid": "962e3009-5d45-4476-aeca-aaefc49f6924", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/:https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/" }, { - "uuid": "f5983ad8-2026-4303-9929-fd5be7aa4599", + "uuid": "251c9643-b352-41d2-9f01-2dfe57309378", "description": "https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authorization/" }, { - "uuid": "36c3249c-2810-486c-9493-2880915d8ffa", + "uuid": "bb7b5742-5b2c-430a-9b6a-4f1858595232", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/node/:https://github.com/kubernetes/kubernetes/pull/46076:https://acotten.com/post/kube17-security" }, { - "uuid": "ed50c1b1-4f14-4fbe-b68b-ee2c54a93f4e", + "uuid": "1116a809-988c-4842-999b-ccef601d5394", "description": "https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/bootkube/manifests/cluster-role-binding-kube-apiserver.yaml:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L17-L21:https://kubernetes.io/docs/reference/access-authn-authz/rbac/" }, { - "uuid": "42bec8ac-cdd0-4233-80a2-ef17015e1ba7", + "uuid": "1606121c-52d7-4151-a8c1-16ee0f008c11", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/flow-control/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit:https://github.com/staebler/community/blob/9873b632f4d99b5d99c38c9b15fe2f8b93d0a746/contributors/design-proposals/admission_control_event_rate_limit.md" }, { - "uuid": "95b30083-4285-4876-9512-ae40f86d1b51", + "uuid": "0528b166-2830-4e29-aa47-363dd53f4cfd", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwaysadmit" }, { - "uuid": "a887fb95-3c62-425e-9d95-5aa07b2ceb5b", + "uuid": "84035c9f-01d8-4568-8ae9-19adb99a17fe", "description": "https://docs.openshift.com/container-platform/4.5/openshift_images/managing_images/image-pull-policy.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages" }, { - "uuid": "a4e867b6-1c5d-417d-87ce-032d23b56f57", + "uuid": "feffeefb-16ba-429b-b4ca-21388319d682", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#working-with-rbac" }, { - "uuid": "62aea79a-19eb-4d4d-9bd4-9a24a1a81a20", + "uuid": "a6f2be73-fce4-478b-b7ff-771175f4ecde", "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-and-creating-service-accounts.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount:https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" }, { - "uuid": "88334bd3-8089-4e30-b23e-a60f88658b55", + "uuid": "792c0621-103b-4a4e-8dee-856b89f1a52a", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle" }, { - "uuid": "40b48607-ac72-42b9-b1e0-26413fa42b6a", + "uuid": "6efeb241-5cbd-4dc4-b441-4db43b3a9de9", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" }, { - "uuid": "4a79e285-c9a5-43af-92aa-d1d42fcd5cad", + "uuid": "d4167fac-5246-48e7-8c49-3fe03e105295", "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/origin/blob/release-4.5/vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane/manifests.go#L132" }, { - "uuid": "3894da9e-f7ce-46ff-901d-fca892803b75", + "uuid": "2a3c4201-8b18-42b0-8738-c147909ad9b7", "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L104-L105:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "a1410fbd-16a2-4954-a5a4-47c2335c4dd4", + "uuid": "e4203371-598c-4b79-8842-5db913aa22fd", "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L102-L103:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L103-L105:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L155-L157:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "3c8ca9d7-6549-4c36-9d79-bce7c47ee8ec", + "uuid": "50031704-586c-410e-98cf-10ef739d70ee", "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L102-L103:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L103-L105:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "a0d90513-5fc1-4744-855d-177454767fa8", + "uuid": "b8e9bdb5-bccc-4810-bb9d-00abed8280f3", "description": "https://github.com/openshift/kubernetes-kubelet/blob/master/config/v1beta1/types.go#L259-L277:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L71-L84:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md" }, { - "uuid": "68265dc0-7a7e-49b5-8696-924b77423c85", + "uuid": "84a0a831-5582-455f-bba9-2678f9d2907b", "description": "https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L22-L31:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" }, { - "uuid": "16def20b-14db-455e-8f3b-f10599d9ee40", + "uuid": "26f1f625-6f6b-4e4c-895b-e5e906fa60a5", "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L41-L77:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" }, { - "uuid": "5da25480-84cd-4a2b-a526-67265789b9b7", + "uuid": "d60e7953-7bbb-4724-ba06-c8dc1342599d", "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L165-168:https://github.com/openshift/cluster-authentication-operator/blob/master/bindata/oauth-apiserver/deploy.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" }, { - "uuid": "21e872c9-f39b-4a09-9aff-1dcaab5b2383", + "uuid": "e0e80c67-b72e-4901-b794-f94d21ad00d3", "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" }, { - "uuid": "3143c548-eaff-4fb8-af3f-59787de41ac3", + "uuid": "54376cd1-fb80-4913-b697-e069b70228de", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/pull/51415" }, { - "uuid": "d51e9220-e3f8-4cae-94c1-f7cf43f37c70", + "uuid": "1873c344-2e9a-4725-ba6e-c70b243e52b3", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L145-L146:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/issues/24167:https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use" }, { - "uuid": "4188e1a2-f0ff-4f1c-bf69-fbbf15b4f486", + "uuid": "b634e77b-e951-46d1-a6f6-4afa24dc444b", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/issues/24167" }, { - "uuid": "4b6ba567-785d-4f8f-b7bb-3f8c9d8b98d1", + "uuid": "18aa8ead-f2ab-4af5-a05c-eab73e5b4ac8", "description": "https://docs.openshift.com/container-platform/4.4/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://etcd.io/" }, { - "uuid": "028da810-1e51-43a1-ac9f-2e041949c1de", + "uuid": "cb03103c-f6ae-42fd-abf3-e8c8513d3580", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#user-provided-certificates-for-the-api-server_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide" }, { - "uuid": "7f3c670d-2513-4acf-a814-6cba66af12b3", + "uuid": "befe3b8f-c971-4274-9724-1df35e87491c", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#user-provided-certificates-for-the-api-server_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide" }, { - "uuid": "3dab0d41-67da-4f36-9137-7e63b621682c", + "uuid": "145df28f-05bb-489e-a5f2-120c097942d7", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://etcd.io/" }, { - "uuid": "5992b0b7-d2b0-47a3-b819-d13bdde29a68", + "uuid": "d02d38ef-2e86-4dcf-a894-b44ddb562b12", "description": "https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/:https://acotten.com/post/kube17-security:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/features/issues/92" }, { - "uuid": "1acc4a3c-6834-4fb0-bae1-d743511159c0", + "uuid": "9e782cd9-b388-4b72-ba8e-5ae74e2fc06f", "description": "https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/:https://acotten.com/post/kube17-security:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/features/issues/92:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers" }, { - "uuid": "e75501a2-c5f6-42b0-8c4c-56220a7d5321", + "uuid": "22b065f6-0a4a-4564-86a1-e6a050ebbcca", "description": "https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress:https://docs.openshift.com/container-platform/4.5/rest_api/config_apis/apiserver-config-openshift-io-v1.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites" }, { - "uuid": "614f36e5-a5e7-4fd1-b212-97d46635ab05", + "uuid": "e3a167bb-1cbd-4137-b983-f58504c4e56a", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/kubernetes/issues/28484" }, { - "uuid": "a0cd76ba-5b3b-4ede-8ad4-82ef0e89da65", + "uuid": "66d532eb-5316-4b56-9a65-2cb7a0905f7e", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/manifests/00_openshift-kube-controller-manager-ns.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scalability/profiling.md" }, { - "uuid": "9a07f228-1b6b-4d05-993e-b5dff8aa4d04", + "uuid": "3505a93f-6a2a-47c9-b131-a82dff05e6bb", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/ds.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/sa.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/separate-sa-role.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/separate-sa-rolebinding.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/:https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml:https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#controller-roles" }, { - "uuid": "521c91ea-b8cd-4ba1-be26-99997ff62041", + "uuid": "f9793b52-6b7b-4e7b-aae7-e19bbbc5fba4", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#service-ca-certificates_ocp-certificates:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "3d3a74dc-9186-4da4-b7d9-54a31fdc4ee4", + "uuid": "619a4bf8-1ef8-440e-8b2f-b8eae6ff3e56", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#service-ca-certificates_ocp-certificates:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/kubernetes/issues/11000" }, { - "uuid": "bb301df3-f9dc-47db-bb2a-43cfac62bbd0", + "uuid": "6023ef46-fe27-4793-93b7-ce98ced8c51f", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://github.com/kubernetes/kubernetes/blob/release-1.11/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval-controller:https://github.com/kubernetes/features/issues/267:https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "309dfb4c-b87f-4648-a2a4-52ecf44d4a80", + "uuid": "6ebf3416-fb70-4668-877f-7b32f2b95156", "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" }, { - "uuid": "47a3fd6b-b95a-434d-915d-71b5afe6540b", + "uuid": "cbb79ba5-171a-4d74-b1c0-8320a2768d32", "description": "https://github.com/openshift/cluster-kube-scheduler-operator:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/svc.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml#L32-L37:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/:https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md" }, { - "uuid": "fe18577a-9838-40ad-8ea7-ca45972c4436", + "uuid": "2ff045aa-73f4-4a43-847e-2800c9103fc5", "description": "https://github.com/openshift/cluster-kube-scheduler-operator:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/svc.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml#L32-L37:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" }, { - "uuid": "f5a5f692-9d11-4c31-a48a-eefeba268475", + "uuid": "2f934076-115e-4a0e-a143-32b8ef9b6ac9", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "832774b2-5950-4e10-83d9-0f216679461e", + "uuid": "04d99409-c5ca-4dca-b891-b54d04ea091c", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#client-cert-auth" }, { - "uuid": "a466cb1e-8796-4f5a-b1ac-989f33a2c7d9", + "uuid": "99e79ffc-d5d4-4ad9-91c9-0115bfc0f6a2", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#auto-tls" }, { - "uuid": "af06202d-d39b-42b8-b4a7-930dea06a830", + "uuid": "c480cf85-174b-4355-b88d-00671113c7a1", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" }, { - "uuid": "74fd0641-3cae-435f-9e7d-ce6dcbe02b8f", + "uuid": "04062f96-b445-49e4-b38d-4951b110f77b", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#peer-client-cert-auth" }, { - "uuid": "4c66ba57-c10e-4697-a964-b046788fa4af", + "uuid": "634f886c-c6f9-4d79-98fe-a68ec9ce12db", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://etcd.io/#peer-auto-tls:https://etcd.io/#peer-auto-tls" }, { - "uuid": "c88b42c3-268d-480d-be52-66741e503329", + "uuid": "2363ce8b-2795-4ad8-b608-b705247cb6ab", "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/" }, { - "uuid": "01409ae6-b0ad-475f-bfa7-2ee62ec12645", + "uuid": "8ebb9358-103a-43af-b4c2-e186afa69e70", "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html:https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html#authorization-overview_using-rbac:https://docs.openshift.com/container-platform/4.5/authentication/remove-kubeadmin.html" }, { - "uuid": "ab0d220b-f42a-43e2-8a48-2956d0bd259b", + "uuid": "c2f5eee5-88b7-438f-9493-c5746ff68ce2", "description": "https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L17-L31:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/" }, { - "uuid": "40c249f0-75cc-4bc0-a918-0bd941c7f119", + "uuid": "86318b47-61fc-4f0e-ac04-fed8c9da28bd", "description": "https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-audit-config.html:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-pods-audit-log-basic_nodes-nodes-audit-log:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L47-L77:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://github.com/k8scop/k8s-security-dashboard/blob/master/configs/kubernetes/adv-audit.yaml:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy:https://github.com/falcosecurity/falco/blob/master/examples/k8s_audit_config/audit-policy.yaml:https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L735" }, { - "uuid": "f9696bf0-c0b0-4185-bfb7-1e0ac9c8bbc2", + "uuid": "5523abbc-69be-44aa-b8f0-0d7765282334", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#44-joining-your-nodes:https://kubernetes.io/docs/reference/setup-tools/kubeadm/#kubelet-drop-in" }, { - "uuid": "bcea46e5-4512-402a-adb9-e634398e12c7", + "uuid": "5ee947fa-4977-45ef-9514-b79a9a6f8f3b", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#44-joining-your-nodes:https://kubernetes.io/docs/reference/setup-tools/kubeadm/#kubelet-drop-in" }, { - "uuid": "3dd2d4d7-e7ef-48e3-af9e-65c0f98ce54e", + "uuid": "5c7d8368-40e9-4cca-9c90-c8a1505f9eb8", "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/configuring-kube-proxy.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/" }, { - "uuid": "5adc197e-0e49-4fb7-8515-f27bb0678df1", + "uuid": "201ef3a5-b95c-4b95-9ca6-041cc45753f3", "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/configuring-kube-proxy.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/" }, { - "uuid": "70faa058-f2af-4134-8837-af3f5f9feef3", + "uuid": "2679f20e-d437-4fbd-94d3-9300deb20362", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "fb86cf83-bb72-4429-bd81-49a8cf5ff14e", + "uuid": "efb94d9e-c91c-4b0b-8201-aa94f6c582b2", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "9ded8000-d42b-4a39-af87-bc6e28a796f3", + "uuid": "119a992c-26bc-44e0-819f-c53616338a13", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs" }, { - "uuid": "19499b83-fe98-4a2e-8493-c7210a52de61", + "uuid": "472cc874-97ff-4a4c-81bd-a3b565232455", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs" }, { - "uuid": "51257190-348d-45c4-995f-213482f31bda", + "uuid": "cec3a4bf-70ae-4eeb-b412-a52803f2e0d6", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" }, { - "uuid": "d50db4b8-bea1-4e87-b70c-2cefd530c90a", + "uuid": "daac5ddf-fd89-4f90-acbe-3eaa4706cfb4", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" }, { - "uuid": "4156bdf5-c46c-4799-a01c-c495a846073f", + "uuid": "edffbd8c-2ca8-456c-8ff8-759a7e369a87", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication" }, { - "uuid": "5e1c910a-8d1d-410e-8d7f-1d072a024fa0", + "uuid": "97c4e51f-69c2-48d6-8f3c-4820ce812ae7", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication" }, { - "uuid": "c408887a-6ee5-4cc9-b911-aa10de086da4", + "uuid": "b0a79284-59f4-4b12-a7a4-b7fd73d32e36", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L28-L29:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/" }, { - "uuid": "0a57128d-4803-49f8-b086-2969ee569eb4", + "uuid": "aad9d053-7481-4ef1-a443-dc6fe0aa3909", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L28-L29:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L114-L115:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "1eece71c-cc88-463f-9a39-465f737b31c5", + "uuid": "25b0a20a-b36a-41b7-bd96-6fd4a7dfd325", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/pull/18552" }, { - "uuid": "77ca7af9-cafc-406a-b735-b82415471bce", + "uuid": "fcb2eff5-95e4-4f94-b1c0-7fd3d06d829a", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L618-L626:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "b2679e66-bd6f-4791-9b35-0b85d81e5139", + "uuid": "576ebaa9-bb17-44ce-98cd-021442090ba2", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L618-L626:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" }, { - "uuid": "71a16eb1-f934-4738-8b8d-4ad9bcdf285b", + "uuid": "df258d02-632c-46ba-b131-938998ac806f", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/issues/22063" }, { - "uuid": "b8ec980b-ad39-4593-81a2-3998c02a849f", + "uuid": "1895214f-40e8-4615-b019-61940dfa98cd", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go" }, { - "uuid": "6686bf97-28d3-4b99-9e19-640474302bb1", + "uuid": "f1854ab5-825d-4054-9a85-32e73db22296", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide:https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/" }, { - "uuid": "2a5a9ff4-65f6-4eea-bfbd-56cb3a734454", + "uuid": "ca0ebe3e-495e-4753-80a1-a9b809fe8fd1", "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L172-L181:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://github.com/kubernetes/kubernetes/pull/41912:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration:https://kubernetes.io/docs/imported/release/notes/:https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/" }, { - "uuid": "25e569d4-5013-4c28-8ac4-b42c658e5130", + "uuid": "7fb3efc3-eb24-45a0-a08f-d321b903cd0d", "description": "https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration" }, { - "uuid": "a7a6baf7-d860-4e6d-8678-968ffdee1e01", + "uuid": "bcc08c26-c8b2-4455-85b6-e329fcd34a19", "description": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles" }, { - "uuid": "40ef7715-d34e-4299-b724-8db221ee316a", + "uuid": "7529501b-33d5-4e34-9865-699bb66c1d07", "description": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" }, { - "uuid": "734acfa7-8bcf-41c6-a204-39f69a614757", + "uuid": "a27b3a4a-2bad-49d8-af3f-78a1df9ae814", "description": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" }, { - "uuid": "a948d084-d975-48df-ae1d-7515cf8655ed", + "uuid": "343e2a40-49b5-4238-b2de-39c5a421c84b", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" }, { - "uuid": "bdebcb0c-998e-4c8a-8286-4f8444ceb5eb", + "uuid": "c6b36abb-ad36-4ca8-a53e-4d56cf82ef34", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "d9172411-f615-4e9f-a4dc-808a5ee0d534", + "uuid": "2b29a9f1-2454-4959-ad8b-3bb2f0ed9c98", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "1ad797e3-a3d5-40e1-8505-614c699bcb43", + "uuid": "3135b679-9654-4b06-ad69-c68486cd9029", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "4e1d8c4f-1146-40cc-b369-427d9d159ad1", + "uuid": "2b50adfc-1a99-4408-bc25-65a9be712705", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "d871d223-f64d-413a-a7ed-d8e32d56c318", + "uuid": "02bd932b-86f2-40ea-b393-127c921dbb1b", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" }, { - "uuid": "6f9b020d-b90e-4e4f-9581-a656e1a80216", + "uuid": "bc77b6a9-1889-46db-b22f-75a7dc0ead87", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" }, { - "uuid": "3fd49788-15e2-4948-9efe-6476e43153f9", + "uuid": "07a1f737-1346-490e-be2b-542bcb5153c3", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.com/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" }, { - "uuid": "5883459b-fe6c-4243-a28c-74542f102e6b", + "uuid": "9abe2b7a-f6a4-4f9a-9e11-bcfe5036f2ac", "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.com/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" }, { - "uuid": "8a214a7c-1583-4195-bea0-27a40ff87310", + "uuid": "de4f7379-b991-4a36-986c-775f51d15ce7", "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift-sdn/about-openshift-sdn.html:https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/" }, { - "uuid": "f31c52ec-13fd-43f0-894e-ea44f1d89192", + "uuid": "3956167d-c231-4fdf-9b5d-8f4523d33d96", "description": "https://docs.openshift.com/container-platform/4.5/networking/network_policy/about-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/creating-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/multitenant-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/default-network-policy.html:https://kubernetes.io/docs/concepts/services-networking/network-policies/:https://octetz.com/docs/2019/2019-04-22-netpol-api-k8s/:https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/" }, { - "uuid": "22c05cd2-11a1-4406-aad3-c2fe508895bc", + "uuid": "8d22ae4e-39b2-4a2d-b875-f3f7c340b70a", "description": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets" }, { - "uuid": "27d3deca-2b7d-4f56-9076-5f9bfd37d4fc", + "uuid": "3bbb424e-c219-459e-95e5-0ddc1060db7c", "description": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook:https://github.com/kubernetes/community/blob/master/contributors/design-proposals/image-provenance.md:https://hub.docker.com/r/dnurmi/anchore-toolbox/:https://github.com/kubernetes/kubernetes/issues/22888" }, { - "uuid": "857442a9-20c5-4df5-b2f2-b5f949c5d418", + "uuid": "85b3d0bd-5a26-4094-b401-20276530da42", "description": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/:https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/" }, { - "uuid": "684b6ec6-91ef-431f-bf05-19c5ba144746", + "uuid": "58a34685-46ae-4842-8a99-f49445402b36", "description": "https://docs.openshift.com/container-platform/4.2/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth:https://github.com/kubernetes/kubernetes/issues/39845:https://github.com/kubernetes/kubernetes/pull/21790:https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md#examples:https://docs.docker.com/engine/security/seccomp/" }, { - "uuid": "3642ea59-a333-48b5-a365-3749ad5ffe0a", + "uuid": "5aa56099-0a8b-4495-8824-4ac8a6ddc6f6", "description": "https://kubernetes.io/docs/concepts/policy/security-context/:https://learn.cisecurity.org/benchmarks" } ] diff --git a/data/CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx b/data/CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx deleted file mode 100644 index 0c5b8e67bb8c4843f7b8cc6fb94616391bf621e9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 120094 zcmeFZgR`fZe&SrbiCd)%U5o>#oz&16G2A#|I&TkU=024M<)>a?l9|1gb&=f$%`cu=-Mt z4z3msu0~p(A1qu9I6m6jQGbPpWzGe`0^|SR1e z2$Z23A}qOpTl^@=M!s-HjOxD<;aOa&fel+?XUdS>bZx%5co7z*$K-NS{B1y2aK8#( z*`$Cc>5Ff)(S&!ZF}5tKJ;tUTN`GkZP}I{$C18aOf?bKpFPvQl2e%6wp>wCZ#){exIC@gKGpPT+4f72M_jDN8Wkk9~o#!P^b)LRET{bx1TR3)ohFA91;i> z^;1hh)=|1Dc>QCZ*tjnO!24_!y6nkwAC6DrdipmeM7ib9{nT&7W0%uEyvsr98%h7L z_=G2yD*~dd?4ufIuH6wg)v@W&^iNfH&2eE6>AzlO5mLiE(ex%l+8XTF4@<71#LVep zl*~MuO2EF!H75INZ}QzO-}SZE!PsUy{M`D;#0324~WGqUnKpy(+rP zrZ*KZ(~_Ep<)Kv#g1LK1qnZ9QsfADsv2Y>fgNby4eizgCa}_@Qb~Kl_q;E8>gsiJf zvz=ejdK#JAb(~9Qw&Okeu&aLQ*P!LYz2O;^>to2h^w;~&cRG~i`BM<3yR83YASjBe zco`^K|8tUv>I8UU1D_nhgFvJpWSEb3od4vBhoiHtsiULqpMv)9oPhzV8Zh?%?#GYh zC7VxN*dfPgzDNVUG0kG^78}dSUCZ?gNXV~9byetjA5Ra3k;@5EFJyn9D2IMI-$EZ) zyP2*VNBU^@xE|`sOVOm7U56oI!-0jI*G*VE8xL-rOdQ&Y* z=OSkYItF{3d!+d{sjIm`U2~c=SBo@0_*x^}&>NOczR%Uk8>Hs5<>dVw`2Fq{X@^+R zUmi7X1%WX5pW`X5=&>Oc4g{J6)Djjj0*I&o8cF$Y4II~B;`Ax`6`)7!CDu( z^7%*y7Y={z8tWUR57kjw|8|I9I{t9oib>CIUuP;@>}Gm@cjNcPWo_^L_2?L#wqCz! z02HA!oTyq^x|(8@YN#KDYa)~YWyrh}=_bPV;r4D+tioMG^jm?CI0(E8qZ-2^H8brr z=u*gOK7ckmC!fL#r&;IbR`OEGb+BoGw?RsNbR?bm1cpXy$GCq)_NNcq2J23UPyll_ zH{8*_R&uk%(1y#Zb0KBvM1+MQ>`y)OE|KY6;w`6_ON1KLZiptwC2?1%PhKZ#DCk++ zjI&-YZ#YaD>K4<`0^G4w+aq#tKTjm#AFOPziqMa~c~GAvtv4)LMrz%w(`kLrrRYZ% z16yZP@hScX*4Nu|M+zU`Ivf%sisC38UBCBDGXo|BV| z?RJF)Q9JKlec%}0Rmm|kk1-1E`Jxh_9r@qU<+w7vcJkre75?+RR*n2Ot?vyRca6>0b8S{*}_$Ord_YMFH6l@Nmub4dyyPz zZ(h2;Jni*eQ(bcHEWeA0)MFOxsFQTDId)I8-&Ca z_U6nB1%%)T^N^9K^4c`D=k4i9G2RCSg&kbFF`3~!)*;y{lXKXnRd1I(l}C6C)Z(9G zSfTmeb51{y`*+5b*3rX6M^F3IXO1UNt=8pIL$B_+7Z-#DsO-E0^>em|wZ@3-l!|vC z6nPsqEsa8KR$QwkmB)*NM$=@dGbUb{c z{PwLIq^7j_OzXVm`EI5tuF_9mOjJz7&(CGzcKc#;`tJO`4+|^D-_ONa`|+gVJV|?$ z^EyXt(ckCcho8$?-`(wId)xEM^M1<;RnF7x!;shG87uK?v38-`t*x!0hDsx`_GgPn z=+kXxALst)Y5T*)%?0#{;pr5*Gc#(G{rj4#KIFBp&yuJp#g8Y~=abvb7u^kNLgaB` zj~6F?zNa@&Giv*zoJI=Szp0LmzCMn&i}-jhSNnS9NL@pppgHY+w+r`uYDPipePMA} zoc?wSYKFdE&xaQ~qj752Vt&y(PufNP&rj3s+3U~Er_Zeh{0oiK7tpoG$&K?3HO>|I z^ZiQut3Ik$%GNf2Bi`Hd_v5a2l{vrLMeY1LLQC&wGNy#enwl|mk2w=DY-&_IM1Ak~ zyTb&Tp06)P{U6z%YHM#BCfl>F1fJ`!E1x~i9zCci*NK)zrpt;h)f`oymT#}9viz<$ zFRxeZ<;M0*9`DbW{r&4m;>BLSesVb%Q_lN3xq9RL?D@DCcc%34jk{6JuvNq_z1-i6 zq*BZez4znK`)f|D_HrT^ZDtwO8Q`MWF>(J@A>(TwwjXr-7pO3c;dPIZwRZq~TnK(|BlZVW6!|U%e z(Cq1Fv(uY<^T(5O&P=4pUH1py`?a{J%kz6|X^|_zh1XusH{7hz{{ELx6S@Q9(d%a~ z7u>jq`L=c^AmfF%*w0O6)UQ@o zw76zPCC-r-^Jk2xeDBHLEw(TEKQB#g99K%d8%G*F-RRMpzO5(2s)u$N8dxut$ldY1 zdM|Z$jWLv&WaXah7fW-saJ_VF_)I8vaW97BNHH!f9ZfMVbcl{AL4>(SMax0q$*;cdJ z;N22zS6CWD+DF<5!cD;t*Ai5`#~kb*6&>f%#CT`Dst3o5v1qmW7S08Ojjw7-91^Gj zmx6f2S2d6JW0?x|^t_G>Ux3X~)s)?uQ8(e&0!2P0>K{`$GYsOc%*=@ z75rS29WjUw{9H2~l5k2G_@vDIVCz*?xU$xcPAn?1w`gJyp)%W`$2AyQy!Ba{>NeET zkYFz!TSLh=uS5c57=L?!5+dASvD5DgfhUKk)Dw%g0sSHZ3li>K&4D}eb>KT5Q(+v>3XDG%}PXK>IG+vyP32rbX|S0h0bC91^L;) z3WbqwFaak-BIszbfyV7;F*TwPY~EIbqPRn! ziV3RibZ}opNg!canEm8@bSduSL5!_X}RazN6I0W4bifcxbD(8JiZf1n*J z)yZ{YP5o~uQ0o1$oAQ~29A~I^#MZ=mZi4j^M^D#RpMwWOLa!fdpm*s^s=fx70#sU&H%aGI9JtX;d#W}@|9 z{Tvi2*j{GEEM17LWZPTgDq$M`vOuMR3+20*ri;q!m~VdhIsGY7&z#hmat3> z?|be2Qw&W*`QC>Zp&2}wj`+|Y^)8}#AV#CGFMa&*ZqRCwXnHmpsF#1!ttph8cOoya zxk6UzB)^cRBQ10y4MDWTnt4Ri{3MwqEt0DqGu0=megoE+;VvzL%^sCM5H^jdHlmgh19+zwFiD^N0a#t2OR z*2Yw)XIYI>uSXch67WuXIrpQFNk}FFg04*XHHD(JcLR1~z* z8TU(m*j5>U!V0l^EGv4jsP6j&_H%L}((0v#E3(ttBw3?;v75xzDzv`Cv+>Z5p@nr*R$Bd%nOv+; z->vEYh`4v0nLM%lME=o>v4C%sC%CA;hsSXgh&0Khc({sCrJXs!{CIv!WuIu#3iJA~V~3gDv5>s!2Z zN6Uv0-_8~Yb%?^PlNYaTuGuy~DOOQ{eh&~54P{rf&bB~QO9*7)oTiONeDzs%VTv=^L$H?#+ z&MvKaZ9@!o1Nq4bGXaP7`}I?_ODix*?1};0awz)r8@_LYNf|8i1;BVJ3M3^MBqBrT z%K!N7R@TO%8&?hl3k#IGVXg873tapKJQ!j z`BSlgelpJ)SryORhhH|}Jo?;veipjUKuW0w50W$s#KM2(k*l6jHwez%^*oBg;TV&L z{HZyShlgB%%22&~SD7$^J5XFfnqlZC1Gp)X$CE&hold!yDh%)?CGgbRi4FZ89v3$mje6R@nOW#212e2zT3iKw(gwdz4`kut z0=%Y;W*Ok2*wq#lF3b;B4r{NVKiNU5S^lx)V`$&PeCW4OEyJ-VpVT%(GHV0pNpOXj zpVBI2qp$ycc542kMS^YAFq^Ykf_~I6drejU1Z{|nVw4tPQ*FPEm~*3((8qB=z}AB$s3PEV+%# zsrkqA-go9)pGneC@1+=%gvv-^h*w0AU?qUH#=QB4IIYoX`n5{`g+N1p(49)QyLCZiv<46mT^t%F zI+rhe?kvB)d^r0c-0OwqV?h)e+)Uy5g_}E&D_l_k_p`VK8CORmS22(J>?hXA%1JdG zdfXP;_;Q;5{ADi;n@SA<~KlrIiST0ecRrpYP($^W%7L^ z>AFM7-6SBrLiY$j!~{Df16O>j3uL6Tq8wgSRtO(7l`J0rY72QnSsos$@|koBIrvV6 z;`IxGuz5R|lt5ie<9`UcDvWR7C#4$zMMM#W?GGfwx+tUvmq*6iv@~%MX^VB3c>4yP zA5K;p4e!?>gy|o11tu|ZP_ zO++&MXV#wLdv1S~8ktmEMw7Sw`o3{{?JVLCay#VR`3bLade{8EhQ0mg-KJwROz+Bh z36E|UqfYv+wIcNhPm5&yvaCeBLXU{Q*E{dbfyPEPk&Mc;|Ae=A$S2NH@VdGvj(+@l z{`8@NFKkBr)sr6_<%9Tf9yVTaM6tPg6Flomp2f$fpLr!lc<@kPeE0$8ACmFAXBpxd z)4XL8BVBNDwl<0@O*vARZMgrXYR_8mC@txJF0Y!c=G}Eq1bGQ5fIxfmVL1^fQ}9nu zW505F6G6GJj53RPgo7F5zxb+DBORb;q)9u^^yfES@E5D&eXz|Q1?Eqab50{U0p566 z2GIp5+f`!9td_T$)vd{e-S+Qf4S~Mz<-%+zLjkn23StPg-8eD%5ZAjP2Gs2QSh{C4iT8P;P!)U<32=Lsif3a{_woe*_9_6jb7v~!Z7-Z`n=f+`kT=o= zNHgMF8Uykiplm~JvHVZeqK&fgl<(-|u_{pV6;%J3$Lp!z=@%+@Leq}x3g>L)5&sI3 zFuOR*&->N02`+nn!cav0jLlbYp{{B!1%IjEOBF+lBRkp^ZWVfY@dcPh)fj5gqC(62 zS5g$zc^+?h`PTzo;aVKcdbXz=k`!f|1OJ_m+59EDpYh)69Lx^r0d^n1xWa)h`9^J( zm8l7;e%`y+$XdfDI*8lX%#Z+L^f$6OlP!GBH3@74Ph~YHzjrf`>46;8^aAVk*XgdR zT|h0gR$*h)usqQUfbM<%a1`wovh?v_q&@3hkl(LsH~{A1S^#FPj-uaj_Xe;jm8>L9 z@KX+t4=eBzSKDeMuknuwaOX0`u(Ree+kIbynq*2F;CTx2&*2FHSwuSdC8HpH2z?us z>J6TF`5jPY6G8KiOfJR%>t(?>>S~Vn{)C^WVZ9CH1m+M43l#@C*kYRgDOFu*8sF{+uKE&Y zo@(7SK=phjcs!uXDMTO#nM2;$_#Ps$YAed3g6j2+?s4)f9|0`K@~ja-zY9q~04Je3 z?L&E-soFk_@Nz|=4+B2_m2e@%D#g`*lG`%-JAM2R!q;I3f}{5I~TrZ!UrL)zAN5x)asg zXcXpv8;G}lp$=VP5)cr`&2W^}k0q|Aum#vD*>Iqg7YuZ8ppRY|Jc2M_qolP$P&uujqOk z>BK)Grf?LL62(Nv1p0Uf7?y}H9L1Jzw{j1m7L}2T&;B}{Ync`3H(B{%Nw2y|h7jCt z$f~1PLYt=r5cCO@zjF9b$ujG*>N^%2y8QtPxJ%WRRi;L-tX$zX88h(W=7zj#p$s@o zRd5TU#zW*=I2#OCc%C}v4^k%Hb6gRxuDE^Vw<;u z;2TA|zf#gWsYSXYeM1r;L&6o$2LlFYuusYl!_iqM+dE$e4&G(>2*|`2_EO6uZUY33 z`X0mPH}=WB0jn^WE(P6#N^i3)l81<-;ExJ_ga|$zeG_{-8`GCR5xe4_x^WFx?6@LJ z#~2?uGcz;2id*~+@I|a{p+SF&*1L=;-Y}`tp=QR*v_^`D_n}1T9jl%lX3s&dC8DLS znT@yDUoeU%-?82qzc|=8tGqm%y?^g;boX8WG}WL6!NHU7+27xf^FYz!NJ00eS}4DI z9eAK=g$$VdSl`zA8?WDR|C06rgTG@%`TOh-j(W0nH0m>cY0rNNy1uHzR6undiLEc? z)NL#|S|{!pI2>Q`BRBwLg#Hz``;W)OB+H^F7ni~IcBOw0>7L?|N@nwa7J#?_Iv=v^rmP@p(SlcC_(bwP{*WHHCL_v?^=X)Cn zGxf+S*_`bY(q$ajoNW_;P$SgU%de8RP8g*1Ak;mS!$eXL4n6P4QYNN{PeidqSEfi4 zjZjo`3K;Cu2wjWDDr$hk$!~yzG4~HAinzc=l4vd~mKfPYSt_LJZYhved^|@V1{O2E zGZOxd0*hh5sygS9@8%kq`S4~0PLNE388knnwfHn%&&`zp4p+47RmydSnBRDHP-f{dY^_biCFbHEKiVA?geOc*ohLY#RWzr zOKRB&!U06F;Uy%x*fc+atkIG#o>A~IgnFb~Jbr%U53^k?l(5Jc%n40xD-Kj;{(F(+ zVC|T#rpr*o6oN7Dl-a;Hz>n~5A)&SCWjJ8;DjW89sj*)`=sgS88_Q!Bpwi*PMr>CU zbMm*Gkcz+0FnC!e5u@<~=KbCH51=I}GMxAsjXpe)h8C4fB0}JnKw>G|+NCP&tZ6+K z+wh}6frI8KELPRxAUcrc6HR*;LawaMwIOW(=Xi8Sk{6oY(SXl_z!FABuRtt-r8TToh^@`!+exZJ#_6{)8A)Ss?|G@*imH}mwpNMV-y@HWiH96!mu+*-}K zKmZX!g0G2}P#`~qNi2C!zCd#XvZ>`AZ(;iDq~Z!29;yULN&$Ic71n4$*!WLbLV7jv z-R#KauLMQT^G`beMQJCq)F`+{k?mKv@fvF}T4Yl9*dD{?2RuJAXMFz;_{tH6+$kW8 zf55W~)V(#*-JGZ8jat;%{7vf;#l}|iUEU;Nf;L6wh^=NmjvPJFL|FA8b^AlyQ82tj zvm6q(a*=$2w<~B)2R8a}9K}p7A80}};GsAyuQOj&BWp0#BTk>QxJ6JTXuP-#=Yy;5 z?*PYD=}}Zz-T18Npm)M<~ITKlX&hQ$Q%@GkN|?WetVUHNI2- zAnFlhg!n^|czHE>oP4JIKe6DJIm`uQujtPw$lE3BHo$~D?YRjp-`6Q=z(KfJQ<`$EyI?XevUFP>_QrOcOwo8tEgw%CWwBCYn~!&P4& zj=3~9hyK8lMqCQZP^6p#EG=jBo|#YNZ4p#aTfU?Q^1tjESgV>sR-{`ivIOu&&q3N5%tqiTd+g%Y6fU^NAK_q4CQ zyT_2dhr<-sS_;%aWn$38Xp5n`(H_}0e;^-|H;}X@;-6<3*#9Izji_fRk?p@)84#R? zdXgs~_%;`PW@AZO3KWh8I#H(Lj$;3kftLfOR$FLC!Q0k5C9I+x!%S-6I|w-W+Wt87 zaOb2F8T@(x9R!FSYK)^b14uOJk0p71aKK>YNduNZ5QyU=U(ZH1pX%T~RZ)1mE4f&W zc9pIlEvDar&5UVF0PRo-m!ibbom~({wi_WFbm5NrXAAUs1Hr5k#B-x^ELM6@<~#iQ zE3m&OX>Inmh%i49Kx2EQfZN=Hg#Ph#)_L9Ti?i%1&Tn8iKTzY15~s-ns@*#8k81y5 z21HjN5M3%{4Do(Bw~^u;1iPS-w>i_wBc-qvO$9tU)k1s&AqggZmj6NK!BE-9;M_5BUTe`eDN#>I};`|CvH6sY)dMJnajz!#OaLT=&jl+Jru-?wgB> zfdx{ndnCdpaay-b7<0Pi;uV^@ZGXM$5}AtsW8HB-5W4Y^N+$#spDg2dd#2FnC!{Dq zx75{THE$n((rQM%``_n$Y`D8!pG*4(&uzLc2|E5};4Jr90LtqJC=W@sw^iqx^2!2s z{;@ss#I*ptH3wP{-{%6v=}dJt#-J7;`2S%Mn3TCbejY9Y0ljt_X=(6 zbkP>butqKFn%7YYk>ecRgzXqd--d(6n*1CP(pK5C_Jn8P*g>})11DJ3JekDMH9J%K zc$H}Qnur8(0q)XZ_ux2FJi3br##@+#)`s`Ssr-en$7+CbjY`#BsCbT5GP@kp`DcxY zDm$2ayX(W4{75r5*LZATu`)5q6OGpUCmLhfJEmABWF8Z6tqL(bj|q1FCy3u1M*YMm zNYA!g_0ov}xV;3ywBRp|STScUGf4AJD|{5$gg0}ARSMUsbJ@+?T?XhVCQM*@1j+T!Y5>5*U;VkMO*gRzea7{2PcfA zBwM-FRxU9@t**Ha8*zZ#YkS@rpwTX6BOEkts%d-qe>UaQ*`G4zO+t>(Khv)3)dDOe@4OlCu3>D29!GD!3E2T|@PU&@~g+nIYO+ z|3v3809lPC%(Xn#pAkee zj(!viv`z~Gs)TLT+CBm%nw|U4g}ygfsQ=+~HG?c?Qw0Ea#3oqjurZGA1C@aiCh6{F zKcN3o!w2haF`d~h-tB*4#L$ApgP(K9u&F&H{qAL~_jPAx5!$Q}lbV~>+N1NQFCx_K zIxoA``j^i}rc=I#Yn-migoip+bRXai2r)@#SL9(C6A{#*>LlPMw&JxrcPweRR_|9d z@sA1gpj%S7(LzDl%4&f}8!HSOSD2&Ha&8h#HsBK6^MAVp_nWxZzB(_CUNvsM+8$78 zGsF#~NExbPf5W3B3QS~2_A3}$eBBE;UEg#EdYH-*Fc|+k$F2R zdahpfdsTlT<;b$x4=<(1!POGbMpU#=%MBXEq>S*dqwp^Vb8mhijO993UjLGA{xBte zOkgDGTY+ZN$j+mc`GY`h7y9eqk&;7lejCllb_Ri8;V}(>grhi(Z}oTN$l4rR853MB z-}YakF|D8OtZ-aE9#_r^bEH1hnaLyHClwFoO*iiY(Gq<01)fC$>k@CoF$4*~_B`h* zC(uvUsMJOj9cdl};z?H(yAIDmgWoF3)nV|@rzH;Wn{e3KYVzf3r#s88r)gqJayg7B zE?D0Fq>n!{75{3FY#&~6JZJjKNRZ!A0Pc~5O4xl|3#jAvSGb|3- z|Lro^evEL`x8mct$ENCE*1~TuwX>xv=Zkct=Zwhd@OQ(E4cuBea2Qzc1I6E8xeu1l zuw96jV<&3d8OqE`wP-4D;rR&4W_UDU4Ex zAtu4|Z0~mHac4)6Da*0NMEc?EY&)N<#_M_i9QdZrz}?!83O)FF@8WpH|6kv!x!eiQ z@|zUBeQG)6I6XG<#Ef&7moSc>r=q3f(27sGbn`?(5E}eV4Vw^Dd|AV$T*Y*8HI1J+ zozUss^X|?gmAF8z5W_}IVl3EQVi_$o=%V)^h}6Vmv-Mpu91py?D5hJ!1O(Gwt5`}3 zf_Z~88b^NYs=9Dm(tegdLv&(1>gFx`?i9@9%274wvXqO1Iwc{{(zfCp(ky3|>@Y!G z(84DR6~IuxLmIIJ4nuL`vg;eA&q=)3e^TNiUfovAOYWtR6lOS)I~J7~W;h(NeI$G~ z&;lTAc%hwrVFPQpEAP%{wl3LPzcdP{!jXf)wX!N!d;+9BQjonIxz6*_aY3zL)yhSd{LRH2-3Y?}wA46(Re+ z{HMVrL!-rK^1YQPwAPoXmy+gQY0~CZZ2_ERMv?S|kSFWnSs(SXhszM~)14%hsZ!(~9!gj~GDDf&k5O#JRv}r14KoB< z4wV=iu(z-P>n;@o&}9_p49z&EbcPX|-Gc3{8A2efR5+y}l7#k1%0^tQUyAh&S#t2#l1*j5 zD=x8lkJm~eyAvR(F*cNunF)ugP>^nl@aJ6ie8TdF(RVmruiv?;E>w2|({2>BxJPd7 zZYV#fUJa|T(+7b`fUfA#;M?svD?3$;eWtca<&^kz#t;r}gU1>COkEddrY(oyi^Aja z1+@#}IzJODqc9-F33Y~i=3~D2x(Ok|=)sk49g7y2tFALk@=$g0ahAkr$q<)hUaa;^ z@fD4XVqo5|6b{@S>nI6zXZe(){*zK)U_FuOQ70Hw;PKjYNR~PM<@%WTIie)znBdi% z4<~ULB8kVmi#UYH{>?6f3Z<7quq3ACM^mquTh1TJgxOEQck#-*)vb=ym# zy&e;(5d+j#^Lz~Keg~-Y#$$Ah-qw3NHNDdmW-0j4%Y{r8igjPSO zstY6_gbY}9`9mRk6S-g@fc5zBZ6GWAvwIWPEHcJJNg}3jQ)5qQ+DPDhLfTrf9U1dB zGB{RkwBJP$%~~tq=aG+c=Lk%R0{KBuFP@f0=3YpG&N zATrZ$3BePhDjY(j#n>6pT^Bnj_T0i7vPj=BJ$mhaMQM%9&)SinyFI*zJULZiht42( zf&FhNYKK5rBvzd|G<>dG5L>LCvFRW|%1Ecu;I4FGewCyVyRhMMMDF(XF)?{~BlV03(p z9`SMTw*}J3z#5{&z?#!;z5coVfJ#KT5OB?}o>?b+jtOZ-G=pK8*q~E*#5~Rkt(<}b zb-7)cG~%$10zx@-6-nqdh-AxK?^4nXB;5L>GDSRLeaw&ONs8b78UvLkUxFrvkNIaJ zVu(+1m_-kYjP**$*W%S`&4*vTGPY9YtG$8!ApR=N0sBl$k7;He+Q}$;3Tn87Ko2Nw z-ktOmcP*acaXpQqhFt{%V);4=JzmEfRJKg zz(Ob(3JC&23R^Vig?uJ9>O9&&##Cb5B8(dDCTuaJ{pI#;zt+~+^-H1GJm5}lH2!5H zaukdAH*O&GfcWsO+twyzFi7jE$N42mk2$-GB+PJ{)0AxwWt2=69_Ow81hk(UL~^#jpK2 z>64L#+zmhBhV*tYCGWBlB1lG5n68!;k-+7kMpl@rj|Fj`Kw2L7xG_+jm_5U#q-bLK z-h{(tBmRUO(8RXJhntz1*3n>cbsM9Ak_#`xUXq8bQ}YaYgLtr!8iP16OGhUtbK4-> z4Ph_ChoV_*gvsmhKKFC~gdkdm2ct$xN|9Ul@ogp|_6#NC7k8s! z%JofEH#NkKEqh8ooZdvbanHw>1*q3!BfNUqm#x z?m=E)8F*W5L&&g}ysVBOAz`VMtRh-o#b;w#VQ-Nj-H%EQ496}*E*}-8%=$#jTvV>8 zJOZLD-5yD5DuQ6GuG!Y7{gIl#^^~?B}?WWba^+74rUJQP5t5g>E-t<8cf!Y2YVgcwlL+xbw?tJhMRuet%ZYU*0yNq5)U%eBU-Bk(JDPdnm~L?53yy{LFMb;}&M7S=m--+G(JqHK z$uCey;e;}zgpc`mB7oFZE~K4n0WYkuxGeU_NTARNt>ymcm&oFZi@aFh69U*kXaZS9 z2$dhfJcF6sHa<^W6BAZN-M7A_NN$QVwa+lTQQEUwls5VB2*;x3p0uur|r(xdkZLFe!JqIv8CQ_U0@UwURLKhrU`x;pgOAWA5D&ZnQC9J{B;n`}1F|)PSc#;y}DsL?bGPp_%gr;D5RM_M~^WM94W-aW5 z^fCuvZs65%Lh-1|mb=S{$#&q}n zf(e0!9S&}-;v4+FFPEK=EsDy+&mM`LZvCRcZB&|MFEQ(WP(x+VLV;lYQ|}O7O$VYH|PN_LGXe>`h6*R zIe>-hMU(8yiJ{JuX6j4BF@z4hBKWa3uWuA!cuu$RPKSMKOliIf6X7p!#St(WaNs8+ zh6L^2n(v_^{J~7?WR?l3g^aff0IlQ?XxTQOg2+QqX?e7P$(Jy0Yz``Zt&I(NC-KP{ z0cVf^p81}~b+W`8mDX#hywpFYRnuyhL+p)Gu%v|WSgZ(sG6xYVpiCsDxX*kb)b^6h z;i!}?R7*?5q4vz-vE>rT)kW%N|c*Gb!;4>pHzSG8@eh)nzyGbbOqZ?F1 z$?Xj+=%f3bgIlai?k#XLVvI2nRE;R%(e#IO;}gSz{yq22qt2w|C=lx1v{uK@RIebd zsqZe>;~ICRZb??$ZL~JN>hFG)ILrcW%o^ZC*_zmXy2rHy)J{zkGv!rZ39V-vp zrqugr1%-4;6@;;3EqPkGVJ8MoBw8%Pt>7S{LfH1n8m(%B-st@n%rzF-(%II@vGAo+ z+=dW`fgwTxQ?8>o-KdAQmHef1Wnc*v>NuKmN*8o%k720iaCtwdr)uTY{iNZ*~5T=sv@*Y&R3vD zp7FKf)fM8>f=(p+!E=L1Vqe|$XV`jA?`m&#HJ1YjHrni$JL~7!*3GnywMOd7vtJTVb-Vq(gHXAN7c_{C^NB|apP^W!sQ%0 zaB(zWf1fz)r$qxg_P;ipsbw-Me#ycr;>kVg-Za(wB<{gU04ad3)9Ds-Nu8R|B5vUGtgl!Ff)o;I zBh3u$C^8HBimG}5W$@9A+DL5NLABiHhQ`3BBHn9M9crWy_r zEt*1d03Ew~K>Y?+-ki1~Esg>~3VoOeeIh(4uIw>tui zO}>AM(;^K1p;i2_J70h^0!;t$H)G%WJc;C`OzGr9D{Kp4Qt7!^K$;7avRMg}zIa(g z)$f?EnUhh-BQB%rW`S8uJJ$3>lhT4%w_i#?Kz`_}D8VdQ535>2R+4X*k&Ch6%n_#AHo%WmjVP5f%@r zLpWM2QOq07aWef*Xr{Kfz(i^8_4^y{C~Q+9hc&}~0k`7}E^}>hCiSOfCf@U1y^*Yr zneT0Q*kjm|^ZhJ#Wu+jA@X!Jf|{S>%`>E`6t^YMab8O|pL z+4!sv_@RNmu+irSy}jW$LX{J#DhjaJKt-Ufx_(Jv}(LLvsX~jJ}$vU1M>Q_3!_=*{tcX z^Y~fpe|htq@>0K92RjJ#ZWxk_VCQ$ga>ac)T=CRg+A@eKmQt zc53PIeD>qs%iXWOwSBp@sp)xb>(=P`Y@zb)&ilCgvU@@8hL-!op>v~#xSe*-%hBhH z^_`{exVYo`g~z$#56?Ge4@-W}Pnl6sefu5@EoFU`9>)#W8~&ax-iAYXu8jdKU9#P4eeRIdZ6=a*u0ixUZDkih}a)&lnkfAot;?B+aC zD1EMpn;H?by;L)WqV*8w^kBM+`kb$Aj|`nZXZb#?Xm6~vbQ@V3jf8d^#Xep8?^GK8 zXd?0N4s&$7s`9-*doXHte0rUKd)re+)D-;WUi)}^x|=hKiE;braJ{i6_Tb0HM+US` zOOB&{kLUNNGp_`$Z|D53pRg7h?nkb!+_lKt*QYO^wu=ruHmW}FtQ=q6FDCK9XLGu zom)OTJh*NoTwC5>?R6hMLBq-_wM%jeDsudv;{4|yA6gDau#Pc}tRAe7+8vi4?hda` zy+o*cD<9qbZ_sC27OGcoW@=k9y8}h9&Zjv!NBb%t&b1sxDk{Z9VvTMzALIOONX4GI z&TdYRsrslQAA`lXd>-I7Rtyki>)shZ+!w*-!RW1;-qFsDJ62w4R~m{O_`N2>N;xGH zjct!~T8Fkl`{F#g=zUXffUiK0S&c|+8ey^m$HC%$g7#IL_<2pYH{Mu3)EW4bpX$lw zPvVeKjE^*5LUSG6#?D-SGWaCVLE~3cr3h~Y-EMB4^`2Hewy^w+o>o@|sUEy}obFS^Od@P2|T>$S8Q~l_2Nkn2IuHhKZ`rQ`}4|{tv@2E6=%SXFeibIhd(u_ucVl z_xsp4Pp{GrB?6vsc)b1C&fla0P8qsk65fJD`My@?d_O>$CbgG_erW^AD%g-+MXo} z&hBSux+iJU)tblvqg1YulSd3to%5A7+QLsESGUi(8n=)8*tbuw;M>G@lUH(Fzuh`g z{9~~lGvV*Sf>m!H75XxsF+Wg@fpiNeV7O%20=QRUSW*~s6Zz5HkwmEb{{tW_>2N*)hAa|ONH3}PLLinzp0`9@M5CDFyExsSlW z@75_30#-4wS_1~7{~bItg+N3m$?paU!NmG}g>xPhjO9`?>8DQg?h~@&o+KKbJ9m7V zg-vVjK_N%uOPtaYH1_;iioA8J6%*ZptmGO+dp&SKCg)%Q0TG*I-EHYR1MAM7qco!S zMR+96ZN;LcuZ)f13CTY{5n3L^LQaQNK8TxDxX!cN1fh{BC@5RO^hxdeXOp(ie)^`N zFZ4>Q)D?DjY#xXC&k6U$JaP;AHKCwdx3c9xiJ_k!tW{e=ltB#K5CpP&GrI?8JQ3UQ zSC;CA(mQG{^X%rZ%qa)aiiG@>g!6EiNPUu~6|Q&sZ}HxZ$t#*lqVZkzjooZzt?H-@ zr~D7T-a0O-wrd-vq(@Rxx)JG;?ydn;x}>GMyGI(NK^hbg3F(sV2I+1@NlE$k0ABZX zzt8hM|M@6Ycs#K-kiV z^K>twPPG(Ar{it`wlj*3QNL{@72Z8I0`%PiakWXl%cG{P!hC~D(N&_lhXCD7 z@|}tze|9i|8dTWX8PONEFYOi)oy?68@{gjP-s`3C*eHk%uoeN-S`=NlV(&Ebr%?Lr zpog+&<)FtXf(R<*OqBfCjNsm7U&SX7bRwu%gxMoQH`+lU$i2frA8>wQU^bOhER5~b z1Rr!Sn`Xbq&Vbj@N{fsY---XX#h$SNf`#5$<{!17hI#sMKcSMM9Tt_k8jjY(PXAF! z@vls!I0?s7fU{spQVB$NcFqQNREZJ?!r6idkdOc;{9}_f%>UL(3#yenRGz+cm^U2= z1n{BocR?um?ieajBB0A(lW4w42i)Uf<$7aSsKsJT~G)R7DQBO6xz**Y7QcK_L;=#**{Ix!xkx7 z+kvSQ_B_612U8|d;NGdB4yZwYrv`2vdiFnRNIs}>Cj_9zWHE?2BFMo&98Hq>VYv~O zUNkrJMDTmv4?0QfBm&eXO0g8UbxtbO?{=VS-1#fEA2R~#FPM*N#5%Yr8y}$ZK7q>1 z&eKZp1Cc0i-cR+&h_;ExVI6U8(D)Pd@Ss=oeTR7L%ts{Y+)60|`|i#&=etGe-o_TF7( z|G0~u=6`NdXM+jVisau~;fAZ`-?@wL-|kAl{^vrdyN*zKFasFkq}v99H2nQt$X}m<|s>p00(CV#aJEUiU%HZ$`HdzGsspXQ}?fbcD=0If6{w+ z4sio_Q>*Qu5=ofWy2W))pi|3H@fub!bfIrZx?gOle>&%S-Zw{WkL!$xxtr4{9@AMO zTbUN@w?VD;16@RrwY~Gb`WJW(t!;zK}!m`efkOYu=MmS-Qv$3;5%ADdBcT{b}LfI zJ}w*vg4-aX{H7H#6($rL@*tr}0p~U9JkxZ$=3kRnxG1?c%k=i`gzDn$6QH4w?z1e< z=fkp9kaPUq;iZd-h0tl(>;gOD>|Iyfh&_84f+>wY@W7BHZQxy;#P&f@>mrdupZ6;| z;BlCZ#{Wt+d&&@$%nlLTRzR{j7s2hE0AcgjI~MY)8j0W>DHqiKU)&ITMtl%y~P4zud)G_Je>GuDk!J<>d}z$pf9kfg8$ z&Uhj4==ly%#*EQmAE$mZB|(voxCtV91Z;uZc_Jf< z#}%DGfEQd#M0&0F$cb$QVJei^sAJi93i~mxElpe_$0}}I|a%qcnl74 zp}Qtf^T;rzRGOnhROLVeIjA8M#6o!aMWovxW3VG$q#-!0Dtpn-+H)I322nM|sP$*E zBxPV@LY?7W4+)?+4T+XyXhfO^wlp10mdJ>LvpSKu=^HqAzP=WJOX~GxF zApwRg7-l(m>1y=!GMSpDY{%)?@r&bNjmNdHOsG%*VF$JXF4+4MnM{!NIL>()UEV_Y z-drxEJAs1(3;D?cS%me1i7-f<(nkDW4zUlKG*QTQcqFV8IAO{LMz^!^k zUI%*>?LAp-Zu|;K$Bvo9IhgI@(x@eX0h^t{eS~m8U~TUlJ0O28*+%&9x+?2=$bgB%pLyTubsI5#63AvdfEyuDoFN1 z6U2Veao{K|PTQE|{lXEXw7d9KHNr?Y^p}L<$;d7i*x;-Yt5RBdM`#(boE{3j0TxxB z7|B6*AT=Tc{VZMM<-huQo5a=`PrgN>ptUK=g(2St zea}VW@nVw0k{*HTz-X_qt0MhE!5hqh`D!9{ zK;y&80nUc>lBXJfoG!H zl_~Lsd(wH^{%K_LNKTXy;ONc_Hj ztAY9ijt7^l7m9lzvjHcxeuT@i@6u}nd-N$}>E$ zr?8bCx&u9}r!|l(q*uH{&xicx_ccox1q?8m|*|w7=X`M z?Dia7MFb$LkuLOJ9)_de1)nhuX6Idk$cw^`XuZo&HO#0qu`2zqPG@$;YHeEE!3=GNios@Ey{EIDmS)1khJ9o!%Hf!}cX29hZ-N)-OVi`p1 z?IxS1EXgAr3)|Krrz*Njd%V*P8gQ>u75K=0QRGWq^(+of$^t8sjm9`zsVe6G8 zfrcbB*VsmrLbvCxSscX1`7i;_`}ft>`xRlt{pGkm2sW*%w9xnm%n_5!WqZQrFCVY)W0907u>&+Q=7sRW>#dceuqvZX;Z6_08kPgd@dK#tK^=1*@8u2c?UBtOR#N>hPxRTMDtjR zEWVDjcfu1I6LtUrP>=^Q_`ds^U+A#j(zc_ES`&{Skc_75=@aj;T&qN=KaRf^vgI>c z{M`bH#;(0HhpC`R)Cdod=nEhb^!nEu3zbEZ$B5yHp9Gm)P9}CxQlfv-MecxxNpI9k zwn6td0XdRrxcZc>?%}RB5I#h;SADU{C!Ea65sybyW6UH$PrNHe{C>>d-H&tUL82Hb&|7{WvE*xulB`Zksi;Sn-f(m0E|9w z?jF?~-K(2wyxRnOuF)Le<1f~e1 z4LS0}r@7*h{27<&dbrDoDm)i25%2p{A7n zO_4eFT8RbK4*nd=LtGlg#I0M=!Z%@ahX1`?N<~BK zTI{;PJW6i|pBuM+fs2R3!|U1$P3*e6fH^oVV?4vb&=`Nwqx+l56d+J_@=ecN!=+*$ zfGH$x3uRS*SAGM=4qPM$I6>SvB-2;PeuMdx)iUNc_BegLB^BES=+c1WN+w(r-x+!$ zV*XbtB#xlgf0!Bg4cZ=3@1K3TIpF)GRZj0+p5mPcRQ7s@Bo6|vo(3}uTv7(Pl)y&M z_nrGxG{(`*cY-^#LlZer9f{l?prVS&Is|qMILav;sNPA~K3Z9v6@?3& z=v~=<6|^&Cd2PV$-MP+uS~gDu1km{uH1GKjkETh>q2J3790X`@1bw4DUgwo$srUDE zy_4%bTx3xqyiV@ry-ca+kjQmVB;_R>o3~JK=fF)u@_atqBS{yz9uNV*neSEv(ytFx z2n-6DbwnnUhuk35Un%dca4<&gSdS!TLvQjJ%7G|c!vXNR6yJe2Vi1%8K;A+l=_d!> z^HiX)dwqg|q%aZ1H%y2lW1k>K-UAoPTe|=)FasoP=m}J9q0KCm7i-YZHCV?B!zGVkR6GIJ*lh??n|>YJg@;g0R)@h^}jKC?@qTv&Wv-NW?ZJ{^m(Z;q(py$h8DtHw>fxx;l5!*q^eJd{8K&aT5#k81W2LfLakMR}_;sR2^K4&qpV)NAU>km;m8&eBK81_dph<1Trtp^Q5Y<=Ayj3jf!OV zyp9J5K&uZxmjNckxxn&(mAVIxe=p@MZrp0%Ha=yg28(PrH9a#wsM$(?KeaW85`I_>p(e5Is%Y? zUF={jZ4%j0oGLqm#G zET-q4RY)t-v_%#OLVf+u!R{QORW_f^1)^q`0wH|fPw-O7g_NNkvyRWS~wj`K^f+l!p* z2AU|I*QY(|3~FX|?e)Ufxj(xeqDoum&&2rKR;1VYv(55N&Qz*9;A>u0KlW@MCtTp% zM?gD()^9FU0+9yb1#C-C0A;Sbh~dS=)GjCNTjOuP-v?GJG-KEu#MSy6ts+J|fA=&< zh}P92j^S+kRK_1D7|>80F=Vw>A)naao-Nvrg#RSyyXfbZdr|S-+jn8S=;fEv=4`N2 zM!;Q%wfO>?L7|9;p8{$+z)ur(fGtg%_5VU1{yjTzoK!Fo0m|k*Zl#83prT8z$oPW+ zOzYxeCvGkyRurA;t=?O^h{q|`!Q1K4=^=w~pIyKwZi27O@XgFSfzGCn#mIo<+ncb3 zn<07M&xipr4)pGV8~FF>>hz8--7y-#P@B*`=Pn^aN!0z(`XVmdI}qD)vShWp59UTZ zTL5zFqF)>&r37MhplbWY{BIg9f$VDI03JTj@H1RTY}TKs54n$6z`xLL=f1e;;8!1@ zyn8^!J!qjdXFit)yYDVr6x1dWY(6y9F+~!9v+5cWfD#CFo&gd~*#@=rWDJC6U^2+J za>tZCvq~XA=zYJaDP6{ZsTn>Q%nW}E|TMh#hr^UbTBKq&5eg3krl|`YFg+_%WRWQK) z5k_`-oOcckaHDEc$_7Jnnc^*kgQZ59P-*Zt244boeJBUe2E`$%=RXY?bW$^)kDw_F zO&BM4jS;jpdC|0e@$W?Y(69h^|IHM4?c2lM(89a?=EChbq{1B3>ag^t1` z*?s_}dvHf`I18GtJb*hq?s`#=+;B-C_hUm7>ixvzUg;N2^dESZl~fj#{fqKCRhkJ| zz#;LAbK>oI;uo}fc$H?Oz`V|lYWD%=KvN4?MToIx^pLR!r*DJD$vE`(P1F>TM7~HN8G_CB<_iF!r-t3ueuM^g9{tS)z)Ahxs2qTdwPix;{jG>v zR<*zo;+~Q>V01rc1D5`$>$;~yH1{L=}VyoiQF*BFL@>2ZAJDpzbrO|>XLZxqO{P}GzRFg`|Ij~{MDnYMcO1_=%Gvw zcr|0Piz9li;fN|TH_KRQTC(>6&M^(p40HM?5*L~)Cp;ep3e=3T#MEC|Geu?o70YCh zO=Z3J6YlVu6K-(#Y2kEH1y7ebNRpx*#SDy%10ZG3TmK>U?gIJ^SVmpzJgJ^k_ z)yVs*eOI7coxyMagKHq_bbHl&J^%yLM4jFyL3&fYYQU`j@*2R> zIh2A9;r3Qv@)M7J(@f}yV7Q3u1b8h#0Y>hcvOF4SDZ*6)n!QF#2o$ll2u*)g)qxPx zyEqN^?9~4!mYsA9^y2VH7*rg%o~f~D4%~58?EeB8(BQ3LN!mXB_3K~x3aG6BvTKA+FRsi-{$Ecs~+iOId(*0m5 zT=drugb^sUy6u}fIezZqvC;E>KmiB332-=Ilc=d3h$g40E-o}Pc6LvWX3&sjB_ci- zP?b?||GU@U(gm~*XS-74e|5AAlmaF#^t&Kj9Kh3!IRL}D3uAhSn5`ckKy3bX?LCDC zrV0~OkE9}h+iGkS{2w9zCRKpPq)tK8kLvpuO(8VEIQle2 zdgL1iQ}`XeHVX5gnRfH!59se55`v{Cnid3H1!5Y%5un>b+YR%C`nEcGhY(4&9ng@j z2R47x0~UbIh2BS(+sHtoa2a3pcs0Db|58xY|DQ3HOPZTVlx4~A^(s0-!Z0P$<|rdft>4xkb9SNlXJvY>he z){ki<3x3`nN&vZs0^VkX-WeDwoS>-S#sd?zw)@z*3-4{QC|qdNGm)9s=7HCAe@`7l z2Mhlyxqz>LDFQlid_w}1YX7HCn9r>#GlW(zsI>odIne3H){}oI6%1sTBRai-x)HX0 z>T-bUVHyT48<;|UI3GSp8b5CD0iID%WixF6R@bkFRtnMcqK8TW%=v)lU!Es->`bU^ zMJC(YxydpRI-YwTncjVubk(ONDHx%7aME2o6iBz2x^6CM{cRBZA-e>oR zAzP9xqeEv0J3Hn4njB;gyFHYCfUf}MQiF!{;qV>V(834EFEBbL zQucfN-~s~%oOwHFuMeFM?Lo5?tXRyey;an8u4qQ33}PZlfRavEt_FhuPWpoxba&ef z@h&jDDVqdM^Jf%M10qPb6&FHz-53nCb1!EG2+REd$@64t_VxYob;O5Ef@j;noE7N3fTy7Y^`0)k;0~Bp9wU}-YxSf%Cav>53MrLeCN=|mx%7SyC2{Z= zJ=O#gc+p=Y$U4AJOGaJ|{2PMzu&|J)>iNRJ3RgUQvqlzR%WU+ucc&W&x4_-U?;iHsDpAvtv8&&5D z4yz$TWc7*2QNypv1rUTWWj7|^xQd1CzK`lDt#td(Wcu3pvr-=g!eCwhdLARDcmnUb zS9-xo>u=%53mnF@eJ ztvI3CbAh5A>47LgYC5nlCT##&vx%zG+p$07)!B^^4Q^gF3kNMtv-(XQvA2f}p$k5q zO)WDESxpOq^SVEH=H}+QleQ|4m2aCHZtPrruj7S(_+I2L-?J^uuY9EhVSkkRy(PUkK6B^tltg4FA8({??04V=<8Y2EHbC zpZdNs%C~j|UIkeDtV&L@)}N}B1W1MqTQC^^K;C@FYlXX z5aF=Qvt&#{ojI@DrcZ9-G}JW6XJ!uYH31UEUT;h!L(1Q6m}JJIFM{f1z63~PeU^YD zgI!1{EqTQlnTR{iBtodtJlC$uCafaO-+?0Na3mZSjUWE`DoEcEC)({ zg%9EbTCl&u&%s#&DzHWxjBcZ-jGHVPGmZ5DJQ0ct&u6q}r#XB(n~lUdwYUT%1(MlH z&nyR@&2d~JwoXu%&HZqxpClB7Z#6_t)za+aeA{$t=_yx|xS5xgah*575or?v5IMNo2Q z%wbDOX7`>9o-%o zJm0n>qEbS*3<{99-B+c@f6vK6EiURfi7GU}X55j!_-SjY#p4fdlgFR+^OefAP+<~b z52x#2((?T?wSkqjjfWdGSvMD_-P_THOO0OF!DKA`=lZ_q>q%L{zu_qYH?f<}k9uu~ zGaJu$$Cp|>_x){A1nAqZIBBpKD5cG_3O}T=y?ge8FzoopHeE6wza3naU|s{GykBh$=0?QYZ1+T_c`~yvS#<{31(@{hvd!n16c2iTK?znnMgh@AeCh)l|{!j#R~T=3r568eJ@)UYe~-1$ zE;a996Z<$5!yDlkDrE4xv)ZFJ*Sa){OTufv%KU?7`S7)aakMrPB7Vw2c!?H5v}l&k zI0u_+K_E7^mxyxpYQ<`)O=VUbsLofqGntuhwC%z!;>@-rzUYNq;lJOu78p81Htt-- zIxQ1x`83kz+bjmWrwQ`8|5z3MrN`piv>|@oSvL%ZH%OM>dK4`@Y*CO@CITfnaFcuO zxWhJ3u9;@Nknqv0&dA#)rPXPWP=>N?Kc}*>zkjr&k&`Z;j6YaGXx@u5YbudHQlDl~ zS+<3#{et>cgFr?9+YNU|sV;@AFDVv<@1{8YE7`Rhj$8&lzWSJN>iF^#(WnC0NjS3DO|Mdj4$}Y z4x);VKG}DRh?bjAP2JbF#IAQ7|@&=@}he{|NY*`PAz@ zSXBE()DTw2_F+z>&+-cjMtJSsYDGbyE4BEUpuPDtMPH3qD`)Mq-lB$ukJrUMS~KAg z6K%f4f@9(cY>M@*er(!A|Hvw@#UJUTe6Nx) zUYQ&!PJ=gJqT6ox)J3zxb`-uMY+?LWQ1ro&DM{jlc1fEGp_K} zF20+Ca3DT$Dh#RK-GrwvL;p$q5q_TBi+8tXAGePY%E+fEfB0kCgg%nu)7OT@XIxPU zJ_-sEgvB>2a1p6$eZtZh@*#lV^0;PXfztnUn$Rh4CkI9fW3RUNoDY5v`LXhcxNPu6;czdH6jkqzRl6sZZPvL z5bF1g@$5JaTkLB(ZdN!t9G)(0UA)uP`2NMYZu~TvDDKQSV)x9PuZN&JnZ;xyTGPvp z>}eAy3)H0`dsVj#t3&)P!BAL0O zy0+u040bT^TCZF9HcuYpcc3U2<#&dn_)bZtnHEen;fNh@2mMz2zDsfCK~738+G{38 zrdC2(1B@?C^7B6C2wk6fSK4?ho`t@wZ+iRoXTy(I6}kl&pMGpLxI9%{0?n1S+kf%a zC>ghQnEn&{bhgF&dP`WyOa8b1V`W(fD+Y|YcHOHTxA_GZzR(S|3eBgBg$>4^{v0JA z@IZ1eYj5XY?4R|nQt-@{@Hg4~uCLTA`T8S1bj}-xY-erFGDTr*$YNu_K9=fL;;Ac(k*0;QU4Kdlf z(z}^cyFG;%IVjOszv}n)kRglynYcAnJmhteJ5*Gu@jmnXlDKZPjPGiFk8!WH^3&qn z$2^dnep6-TAL0z%q@jw<*(IURqzALNJI&X}N;eY~x6Vt>FPYX`p7>tbUaf_OCho56 zf7H5KKP6}I}0z=IKAvvNAPKu`j3fLPZ?7D;k`A&$4eMjO*Z;_ zpgv*59UehVZ=XJ9nNfjj8!{h-xOUY@B{&rcZSgbH5`w8Ge9xqu zgWFI`wUd$qBtFSAiNX!?;Zu*4eI@q~aYjI?DtRXJ!9q|J&Uz0G+k9RmMr1F9X-9NV zDgZ%?2akHB-Z!0k+8w)R^?Dd}y9ic2iZW5u9QX9k8GT=4(dcUu$&r-b!PN4mnvq=r zpvT0b0c(g0N{@)Q4+v+skr%(JV%B@pa?(~)q$ipE=w( zUp;BPnl5a(J&zw(vGs_UKpsalKrq^-5ZM&j2>}rf$3NI0s#Oa3m=u;9vKInu0H$aV zd6}P<@TcZF5n(gET`HZ15YjppP7`T)DOLiyk{v_k+@<1meA^K7JStYqWMn1;M+9y- zB!5V&_%anTW)LzZg8icjK7GOOIvS9KKP6^}s20v{;Uho3saqgvU-Zzx=j&=M?2p`#v5=~3;^oWeK z0XZv{2J$Ad6~bdUeE-l^X-sltED7XQ)FS6U+msnu?*6gL8N;cuA;;ozi2BY@{jlqg zWog>RPZY*l#p{?Y$oE0A@L(G`qA-n5BMCJ^-1XmRt4Di8mr+X}RUeOZ`7Y49>0-;B zcFz&vk)S<)nL_mOkt=t#m;c232LE{%_|rxfNfQU0LGmuzfUs{VI?9sMyzb(rd{}{D zvK^G{bVfM#z;9d#PzuHR$;ePsV!xIZq^{U$y1lh2%rHfn>^FXq#!=fgr^~<>8e|;8 zBhbbZDzQ>zCz$`uRKkf85i34S(pag3b`|)!5;qAiO4!&K842pLIFDPicrX0zTcfgH zNjJkeU<}f*?o{e;NCu)E6m3!4WpsEU%AGmLV;Rg5MzFPVW)Ka*jZIbyWLLD)6r%QNElzzP zq}+}JOXBI^wufBsVA!?4)Ic#XziM!*jpf`R5 zc+m`{_gw`7gqPZG$c1q#tO6l*M_u~=T8VHNEl7gR{<1&DV00Tb(*tm0fcA(4rhP(r zE-Z7tV&@n+tyvCojy%3(Z9QEC`Lom<}Ltv68~1JLs@6QNkr8RvC+fC0sB7Q?1+VaxC+}&rhgF^bzNphs>oS zUbl`K zu}E(HNg7zbv7nZcgsSp$U+xpoPgw|TRFhpK6 z`Y>KOq5(fhaGTn91>80g6?{p%77hul`8owK!ptP2_}8F?Ry+8IO!Pi zLK+OIN4e0&baC63*(9*gN!5TqzQ~QfSPv#`#dk^@c$&@W@x=VYVNc~!E2H@bl+Lr( zQcQI(U<+HHitf*^wF%rj7q@2iS3usukG8zJ-FHsudMFOElaVQ-+?)iTmqxJu-$<5d6n%6uAX~ZK!z;rJ+k|`ov|#z(LopLso?my#+Yg7t<^hPQDkJEjBVt&(mQ39HFQg|! zC9SzuezXUeU5ARxL8?+m;s>_-y+N;VUr+ap@h4p%wm$nhL?s!O~g>VWxTG_Kt>rY~+5wK%VES6+QrbsCBgqp{x#S2Vqc zUlKFkZ+Nbepny$8c*>mBHO6A3V-q|<4}mqIr(pJW!Ob_L@8SrrHhUze$Hz`D2r;<$ zEdGyF)G~l75?y!{{0E=gXsyYe$&CnPZ=sH9FM~YSdpKuhWLT@g7-4rDP5*6BI0u>M zHjHxqS}kH|M!`~N{#qOwUM<_r&1_3=m%D90pb(jheF?V1ff_6&(x-xsoqvBF?pU~v z*e#S~g;9oq(X369!)q8zf)lalRNX1kmdm&RhwcA27qOe%vZGPerCmxa#)txAgB7!5=R?wC&;FUq(W~$S1KPODC!-y4#Sg!G%R%iRw5=0 zE=FtGPj>z?uU1fFOTN)iY6icR$ln#<>);N_HjB@oO6YE1J7p1Y16`lr2Tl!^aZFel z*ZUtn6$yEdR~veAgUVyteuMCeN4hu08>LRQW2QRue}#Wog&i|slVt|stC&0iVP*@Y zv&RUwk+YjTIj@kLba#_^UeZ=x(K~csG{m0oXiI=NvnP_MA{?*b6m?2Rb~Lx0^wxGt zTCcy0*k+OHD|rf#=%9bR<)xfAMxFf zyYZ;Laj5W6>6Rz094D9mgu_t!ct?nT9-N_Z;iXXc>68sDol_j$FgblfU?QEc8Ks_d zfR}~i`Q^4G!n$F>%p_+kFR>< zz+`&YA-#w0({jI`IZqh-tnTW17BYU-FNwNnOWH^&C%Z-Z-`=k-yzqlC5*-$1I2!>5 z_kPmoXm03WVyx!mU}0nCcsFYF-issdjy?62`bEMRaunx;?nk&NE4xSlVt`OY7~4sG z<*^DKf#*cDhBGGs4VdqrhUmYca-llYY?eNZ_u4Xk_44(ST?!gk&bc@x%7;&Tsfq6F z$LsjFf7aZLl~y(1=f$(sxXkfu(`KHG`LMtE+;UU5j`q&I_>RMLini6+LCs>%c>(EPJ zcYbcheS%QB*SP;=tkd|<##C;%GO2Y+C-uc1<>GX-iz}({?ByW7=205UW{Z2`$*L@# z?`X>HCgid3SoBiVDm_FIubWnPU_c-7U2Q-@V+5>SH zDJLkmR=r5}Uu8D!3r~Jd@sg4m>V@=H(ST~kMA1O5eHkLejtZG|FaH?f{T@5y?V6bM z6;|HN?TcZZK9+oC!`N5B+dndu4gntr`lO$l_9n1=bQ0Gii)2-H<20q($f91em>4g3 z+mf|14!k)hd1y>;UVng5FdFa1*e12*VC}6F3sH)3j%RK``KB9%I}-CsGz(x}EaES1jaxmN<0q zv&Fp0OK$-i-l|`grR=(yotYnP^9OxuM{@ij?v^e4XMyiol7W2zq>tm#yTy1+Su%`e zxs&2ol>8WMh6W5I2fPT8(IyMJC1qRTy@Ae5;J=P96i4d zuCR8sJ*#=w)IiW}E|A(!yeJ~@6g?hRk6p`{SId;ZWV6|Sdsq2&ZoAePv7sWyZ z(x{R8&NPB2N`nVyoDcV@!PAWFnYtGa?Zg>`Omp-*lG40*PwV$kjq$tEhuAsMMcv{C z#!!?MOqCc^zT=}~ZOxX2g#TLMO_k`jUwWFY>F7JfGj7f;%rTS0v(9@2E8NYnyMlgJ zGq|{97c{^xa0=R_xkb5Dz4=9+nIQs4B$Lv#L{??HSnK}AmXqDnVU;}XP{v1u!ReP~ z$m=Z}-}lUUpK?!<1r=$Js|?wc;xAO19n`Q-yOYtF+!}ur?jW<*FERf-Sa31H_br56 z5<&VLN%o6B$AbqM%%`gkjpFRft`TQFudqEmL*)Av#+!Q!>{$ry^caGX%%=>nx@Ehb zfhzr^D+#n&xT0NL&^KMvS93Mf2hC6(_sB}dc;hSLjTQ;i4tlm(lbj(G7D1Su_AXUY zj0M+C~^wTXdScMmm$?R>03~ z&UzAW(EYjqTdhaiGwL=E>zYew(|cEI1IGdRRCA6#YJtIr#_V~<^8QMCIYz}7^5lL0 z_SM7jeRLxOos{V57@rNAaNiDZp`^7QlG}G%IdeZ28%K$wzOdEKXSglyHU6&n)c%Zh zr@Gu$>pQFp5qZSM)ho_mk54BZ4WZef47c~&%#irj*ejME^Khp>sL8jg;K>cIUQM?zv@gUYaC+1oh5~v zR*#Uc|3-oL!})?FcP>`l(}?&CX$;bymv+gj{>q4EdtvRDDD&Kv!9#Q8B#~ok=A4b| zZXeg5IDE9}Y%;X`1N@SXf98^>?Z;dliilg_e;YOi7}$EBvliGahM$Ua_oG+S(k`jx zcWG1Ueb?vq%}PaC&#d!2mJ)7q5B#CZn`~n3^FH}i|20a><|0RF=EY>^`>>yx9j_1; z8V~t(aeS>4S@J{Xiac-{1-wpIQyK)`91EmMn|?-WOMLNirV;zb=5}ze-PKl4kl)?t zpyp@V7R%$ar6w=W^P|DNWqS>(*zgm3R~f0Jb1W-{7s6PeqM4RI7fUHA9p}h%mp9ac z)@g$Die?309+_L`D){neufAErM)yjyjvOO>2NNOo{RzW*O}bU$)yVaCfd(-e%$6?^ zL@d8cZZ5JFy5wijKh7vSAY z&fnHi7R}9Gkt#1^2h*n0NcSR7k-YO8?#JIG>mz%5@MC{pV4nME>&{Rw_vXmc4W1GG z3yADIDO^D9WHeGQf@)d*E9tYq45ypHN=5zi@--0BEe}1x)c5h%c#>NEg1_L)`thu& zZbe;aY(LkPP49@6@m0rHwO{-^H#F4S2r-Xjy)AV|jTaz=`aKaVaZoxf6S?pJ(iR$^!oWR^I^ z{VsZY?195n9?Q@>fAD!=`N__7R+WLD3>gG3-S*JVw-5WXYVfhNa24hLlGn}T^3SXr z;GLgU>F|oRB}leRYLXkCW`{(T(!71yh?_sqi7=RqzjtH0lIlOZL7inE_`E_S!QReJ_6i?RcmCUo}lE8)P{7y58L zS81}Y(S39+OFoMWdy(9!AwH8?{rWE#q~3@k>im%~eMQ{4`woq)8FN2mYctHcCB`~DnjJ8e*F|=^0H^QkV=HkBT*0Q-2KmQ zJ%R%r->|I^L3_-d`ei1#jYsAfBI@?htyjMcvA}-W70NtP5-d+{2DV7?Vig813`TZ| zUM-IpfaaB$TXQCVI^wcTKYpuKhs#>YhxH6R$W>oKQLp)}ZubfoCi4twimIk8wZ?dG zZj;8CqIKmZy_w?l5UeZnPH*CJ=Hzc{7(W|^>pG9fSNw%vx!c9x(l(g*E2G7rcB$OV zSZY)i?4YgY%G2~E!sL@Zk~3~9>o6_x%r~VJW_6h;|0D$CqfX-aJm$pU$yj_%rJQFy z<_D)Q(W2wp2R|+W4LJC+4|C-1`P{JC?5g;w~w7gCP ze5RPiIagL)%*cA$RWlW=P@Kp!<*sx5+7;vi@yvY&+xK=pL^u-VWur4@ zLNMfdyjl$z$)?^V)q8jlu?-PF%C;Gk&V7(M4U~8__%rR8{xteE!|6NeKdhHtH81)! z0&)n&7baO#(B7W)OI7O$50zfJUL0)14gCo!)8tTy3eBy2pEOx^spA)sCiol zXMu70V;t%MR+V{LqBg3M(StB@6U6v}mVA!$AKL{5u7tiSus*+6msM7GxCs8Noi1-2 z?xtTWTA_8|4`9{zet@^{LSogr^4EjyKf`{nl8aApVuQo06A~k^MOB}S=t2Q8?)+LE zo)VWcS~?4-8`SB_#hkfg#cgZVIdY^}Y?14Gf+yMyd&ItE6XV;whCBBLftx9c8rQj# zBO@2=5mfcsw9YvSyC7H!7xyMgp4T7C?zoGuR<+Y=bj8}Hq{neeVzfoucg#0+O;aH8 z>0>f=mX+J7D@n+4B|;Id_zx^U&39Ev1qS&g$Yr+k17t~_+w3)A(>EKGqA~~UZwyFH zepW`Id5DHpE%c*@y;o?gtxhH#&heR#^VYymK3b=o-VJ8*1KEroe}~Ir9(swtby}_{ zw5a`7mSC^j*)c_cA-U|>6?B}O?5>Q}8L4&l9+T$O$@2dE5e8A-j z-qbu687_C0Gn-#hf;kJz66qErNei#QIg39m_UpIie1AJ)nD^m%L23L~pO@xOHK(4Y zA)+(V1XT*@Jk}$q@jGcB`4aaT^*blE>;N0#_g2Ha$w)jMB1*&lDNJ3DUSbb_1v1j7^j8d!(rzChJgnzdEd_iK1 zh6sg)1w6nrrD((zjD+}h*Wb?*T&6eJfUj7Ft-Ne&{^ISZ`~2+i*}C^`(d4U+vGt3e z!Rx1iTb~n~sA`%6@ZU0R6?C%;#LSs8arh6&kx?a{)~$LU=BLEN6V!@eA2ePpv@L9i zt+xegu_Lk>zKFsemEI2XB&Be7cJMp*=?ENFrCxK0EphM8Q|UIzp|w0%85%&gU!Q-f zA#`O=P&e~fARx*Rh6=our7c89W%p~pqH6Fb6H<`2Di#W%QmpwE`A1P@Hfe^-7vqj3 z>`6hInw=$QxsQtdsY``r%BHRRCVuai#aW#X_;M$1#d0jXu5gt^Yd!n%J;N(hih9by zA5UF;yZi<0ut$7e;FqsgoANf>WHGgerx?Tf&G2>NuYDg;%!-bANb`u(d5H*DXs5m7 zcH7+ql@&I!3-$_0%P}WmFdl5BYWl2RwT4Ld#=eb}Phl$_4_UMSB+H_MgsR`0R;%S& zTfrxN-6l)xITp#`HRVHNz3P$lIylQdMil2LL@EY`Zn4r}zR|wlE3)d59C}9FsfY=` zHy)ndEu7;xZ!;uZey?)x$Il5KS+Cr{b)#iC!OD%Jz1yl_^ecVEKUF4{c=g9`>3QSZ z@RmeguXF9a9e4TUqD`045E(nN2MSE<8>+c>o-{s|<{OuJbC5PfKA3Nw}xIgV&{Ts#zw9N7Y&sDKL9;I!oR`Fg`Bd9)T!}Jj2kL4>txc-PD|yQ z$R^xH%<635o+ZkBdI2m8EbFS>qvn((T3(_7lj(yey?Xvr^>qobAd%PUoGO1?*1 z?f-&e^8UYqCO7C`%}@JBV3Q=ZksAu!5M|?c^Jtjd2K0^y`;iYnSs4?8^U{l_pg3}_ zj4%x{olwuBlEa{rIum|(=fXDpg>c|CP4@g9mhEj>IQ=inOy|_Bq;vRWiBCeys|GUo zMOflpx$nASDRzsdjhfO+&$2v5^N)~5ogrQefdX!Zy=wQEk-pEo( zJDMml<+1pSRyi%z46OpUor>+8^QK+Qf-bhR#?|vB*sCoiTr+YDLoobRz0un|BaJ#t zZl;%4@=I}GSPQtI_;7y8fX?z?uitj9iC5w6E<0$%<1WOXN)Vrdlc#}Y`|)}#+v~ic zE;<&?ug9RhQS2#nd$Ev$=u`E*DET{4rcHxT#rekUEfTKgvzC)$!)r)}N_q*&-4spE zPyr*L^OTYq^iPpJn@(78a@eOyRRrf9f1$M6`Xl)}S?JN!G3ZdI#ul+)D^$y2=Z~tq z?F~$RZ9|Us$}*Rj{OmNl$jAzzUpd#n{@!(r^z7cPR^{R$i+zy7Y#o{x$#>f%x>U)Z zZI3;PYtC|A>ki`$+x55{4~|+>j!VVTuu7{ombEK>K=l@pD4I(}i3&P*&}PYlvW;5U zM(R%FFETP7i+^4y)Ah%9O0T|a>9hm1P9an7OsVz2quel%%yfC&)DAl+h7a$*g&u*x z;ry7DH%4vbEE*%yP}(&Z6oR>j@n}k?D9%8N(lJWXk8p1ZZ9t@VSRq21!QNqLIZ1~j zc(zZq+1?z{^||}a=A*i3bs>P4_+-ulI4ePA-H(qJ$Hx+AQNYN|3^D6;@Jhh|<+o%9 z#f2g@6l|;hZQ1hNaQ#|v?RA_2HE~WWym0yi*sq!FpdO;!)$^-K?kSRhPd$Xr_tOBk zm&LqpiHk#E~7R0A9a2eDO@Aju5RWA)ydx$3G&ggu)NeLhruWe{&FoUN9k3 z4?c89QHdFb=i-G}ABOoTQqV}M)y(4K1<3(b3QDOaOP_*LDG2B~V|b3f#78c%)D0yV z{z#6A(L%OhBsg&-vbNO)9Gs>#b66SzfxGc&pn{a05{^ZYg!aC7^*B(oCLXCKux-<8 zju8lkcj9XCHv->E^2Khp=%>g_f>?w)Dd9u`YoseH0~UBxaw2tQUeHOW)YkWri33F= z-i)DX)(>`V2I@#=?yRkTSR&!V!C99@_$ri+m1;nEJzYyBAfL)+6`)Bik;tLEv_>BN z!$l5VEn>KT(iMaY`$D=xUU=ifs|p(Q>`d$Rb%paJZtkw+J{5nZ`gN}$B)FS5e_2VH zg(h)6D8h@h!jdnpfeiMgt|Ebt4u%_(*?M_twxZkC$#{F2{7h0FS;ncNn7pucoH$MP zn!z=QxYl(lIx%luCsH$=WS=C*wZ)ri*jBW!@kpngY%@A45sZ->yP7+IIbaP(Tbve~W{81H({`_R$ys^e%K5shGx>b0t>12czx2c^(FEu5q$L;wsX5nhN4=-rLvR1B*D9q1CI8s*8g#3Zmv$HW*w zUugg^z`a-s=@(Y_C^+WTscf(d8s@wfY+Q8_RojB{9~MwAnF~uhxrW_P^S)*SqG@w| z$m?p|Rk?g1w&BjIcE}~|idI|qwdR?wCU>rR_WUf*m%6jB3p4cEC6;Tpjk_g3P_1Qm z<>rR_`TCTDl;s^SnGLtC&WeP~fw(o9>Wffr7;{^$r@e;5>y|mt>BZ|7vq_#r zp%r)iT5`0m8z^^NC3tB~0zxNIsQf&FdKdv~K&$Jqg8X;zos+tNVbfpU{(Bo?^W*G~ zzy5Q39M2IcKabjk)&FtZ)kCzdbsJz#HszMgp8DD)%6D0>sG;?gI6vq@OK5MEm!;%t zEU%Jf>A<*7hv_J0=gjS2yS4lE?J`+Qp5*g^dkET?bM&xgdcj7AFu)$yzn(^@wD1?1 zV*jpdJ0i8Wf43r&&V7t~h$39406@2w=E zC|;7m^>x`alFMJzL?F4YOLw!Y+1``E{me_%-_P#C&abX&Hi)KvIHt$ouCz27pi{5& zMf0|>2~3t~GQWt+J7ho9C8(!1UaX_!Jsh4z8L-ABTJnot+SM6!+|4x8RLTsYQVwbD zqJZwcY#_|}bTLAG$?2==t{rl&&E}QcG1Bzxn>RKOVXK5BQtiLDGAptu3Q*5tm8@B1 z57#%igp{_@@ipX!>t{i)zjV2wHNu*ugiWac5xosBqY7W1pVg}P<`SceFuuI5mSsAz zX?n<|uuPW{35H35g%L352DSGTWJ5}Wa9g^Niu0-H80MwPmm&`E%T=ly^eD& zWW)Io6t^;{Ik*UTc3GmfGHlt%Ffj_#z@}7?`GQiRnE8)%;fxVTKS@z9yB|MCy5jGftJbUkzd0Ubo0h59{V=TgGHjP1jlEcVaoPUU~QO_n{pK4R&`rm%+@E?7aYVm>p1C z*zQzz%wEF|&hmU!3jD50yk|;ZVRuLj-UB6}(86xAT{W{ne@-dYk5TMloInKGAIU{% z&k3pRYx70%b8aQj7hqB-85|*hNzyAY$r%LpJ5Kumv}@YSWt8n=%?Z3CyVaj98O9jg z3hO*uJ-zrOTTG`ZAoURZ&euzz;nVnNn5OUP+9$-VszCTkUr-{M-_8i=n!$qm*ZrQy zv3O$Ht{a5jhGT$q5$IpXpcffnv&klrJ^dcXleT(pymLEFaV21Zt=K8IkFpiqfwDbx zsomD_bJ|77@oc`pb;hh=+5bzoko&c6B|Dc^kl1YOU}qHvr`@U9W=;^{?DIN3<2eit zj`WOYMt2}LDjg+xM&>PZm>Tc!fQN!l{FaO>R05=ygsDFhH*Z)9Xx*xaMt7+y%T)DN zDvZ4UDbVs?{%Tq?bGuDI`;S}p@?}lQtv}y3{wKHF(W0Ns_w{a`rlX{HrvI=uOM8Y2 z_t_u+e4BFe$_Er;^dE36?VC)18fmm@_Cu49 zlwD=ZBFRIN?mpe&ANO|g$9KCs_bMqc zo3ar<>=dO*M~Dqz63hIxieDC4iPujVD!+o4c58MN_0HR%f}!bbb%bQ`)t4EXzIN^@(usku5Y7Adq%RhCBUchG^fyCRCQaH=BNkyWw){yz%G@~kSnE$!a708sU_XJWUYUNnIIsFvZKaZpk7U_hA8iOd%4cC_h6+?nN9Os9 zgZ+0e-yXhv^Ez)yQ5I-oz9q;T*HUI%YMU27M&l_IpoIVTmF;r1TAJZLF4}r?&>t+0 zhg8Z5+F-eDczYl9*akC5z1gA%-6?KG8NMX96Kx?e;FZk?Rw&q@Xl9{Q9yh-fA%tCp zCW+AESzkSkp3f9J3I=?(K&dgH9y()yJ!61^cMcA|K~*fg;Tu%lnTaGnoJEribOz?F zeb_y6=bOXBw+ApLgZl$OqrNeqld5^?VLU?h26G30#!@}U*3h%>M!VbKl!Wq#VF-#P zd{tOhe4d}zdQY2&zeH>DS0J@( zx$jDAhP*2Hze0G-yS^e6O-M#_7UnEyGLZFDjbL;mY!R286wu_vgdLSx(n&2mjQcat zkes_XREf)bQS?f|crA2U{y`2VRz_RipjSFpYKH;LUv;qL9ql%09hk8qLe{)y?u=Pz z(L#cjO|bC=e9Edd@MSD?7w1(c9Uo9odfJp#rn*Tjb>@O_-3q75&);eTzKS3{L>Z@?w;< z0 zu#D8scYzl+bj{8ZQa#F(Ll?UBlbXX<2bNvfSvJ(@z*HYVN3dc~X}#jld=_fpF*FKt z;zauvDl~yR)B#Bx$rOOv1dsuT{fG9$ou|d@A{lcLk_#FNOTO>#H6VI5Z_AmQ37mMa z0I?4nX_+m_1jl}8$-cy#+gm!+G`-fo*62KQr$Q7hbRK|X7^9u*SAMb7n;Hc4*li@S zKrmEbo)%oS))6{CLrB!#T`v7eG)k~vReKf>XXx4`9N;RzbFWO|;}oQS+E7G0+!V5QDEQba8RS*c2$_ zF`~LOA}r7`W68u3d7;5u1>BdGkX103sEdKN$XzLgk}l-0T}K_W2Y6q4{Sp&G{SPi# z?E&ibTzL4C^>eJ1zFJK7QXK?uQ*Ah1KN&-y;b4A=Z0MJ(l zig{9Wmatfnrody%P$vUf^YQTDxhzz4tTHSBov3$GJ1l~l`Ow0Mo?wJa;Y|AI0cSo? z$NiJ1ifUGZ3pckMRwIH95t7&2?|clW*5U|(r{kO$*q1kM7*XeFlpb|}^B|-zZb71T z7-NAm(K&g5Y>ypV`?_Oe$%43=Td#KSwO;Ms_e$}He*M!2tyfQxe6$v09JA1zp>>z=JA&9ccIcX$q*&)~@m~uu}AkI!=z_P)YHDv@Y~=gv|CJ z7?x>yDC`xCj-d(=@AadT5(JZs&MOHnD!njQyQL}!>x%FRXHzh!6b_li(Krz@dLO}C zxhCFeJZ7VvQF?D~X}DLNQ!B6D`a+#6mXdAS-sP?LaTlf09LV+y)ZdZKaJ^J`(a%Dh zxS;TB#M>vOy&B@#gd2Oa;giz-b5Pm^WI;41i#wu%85DAbbTkT7=rk^$|kipkKQ3=yOP5t&4%NH=QCrSOFccRPX1=O`zPv-M_nAP=ozTPV^-Rw0AEN zOUAt<3SJ`74b}4M5aA6AY2_p1?qYZ2cFHUSRaK*&48G=vSoO+-%E(`gi@tIngk_8vpxoj zG@(3pPt!;E8Q~iQC(;(gT%AEHI7wopYJ^B;G&)9y=EE_Xh6TpBnqbgUv(b$_7%zII zRX6Mypf@2B(uLp1nsc!;XUl!B{&J(>iP;aC2GCaE$&3-#GV4pUl8s;rV_4cx3R{|U zVN(E?X`Y}0uua-fCWlmOrY3huIy**sh3dgj2@!>q@gU;Rb7xh9Tt1n2^Z7J;*6DmQ z@$#F2;qzMartDSuP!`;>_h8dAuM9l|YYZrtB+QQ1H2Gx}-EOh8k<{q%PK{clu)>^P zhQ>Tt7-S{oP&W`{nn%n*oIg{BK^8*>9*q*vV`-qF^%&Jg z^90^0btn~09UGzJturmx2#6b3#Q?~pyn-T4J|Xic}O#=Zwv7j71KoLYDfgq~DvboU(`0hTU}VlME9X)Ydp1UC92Y^`X`w#`?8 zU0fWpw~~E^RIy(c-wbV7SDsS&=mh!q{i6LTz(1xE8Uez1TKGY0ob>yM6P3AoZ!;+u zlPnrAz)B)QByw|sZKyIAw^j#}K3!mCdrksp=kl5bCi~@CviX)4G=;b4Sv9KZ7vgKW z=Ca63vQLt7@ z`#8|YJ5i!eFKQhjR}G$DScO~N@`dn8<+3Ulr>>-Q&ZyB9NXBm7?>1jj$SR}vjdD=qs&@#0F2n47R-GrqPVqDoi_p0qEdRdUi4{Z;);C3O9OoZ^od@+g`J9LTwa{bEp+(w9xP^LhfZkW29Vv;_PtUtM(*Sk z7}G**Vg;l1AbXAj@W?c05IM+bT;|VG(?~vti^fbj(P`y2J0FnN5K8Tl z_gYY^QeUGCYP}Y95vaas0g`iO6Q#=%j87dKaXTO#VC*Fb5)Vhhul_hwIs6}ay z7?@`83l&{0hE?c+B?e-ryUjNz?s?kuzf8Q>-{$mJ;uYrbn#YV&jlu^uAjpvYB%hfT4FybX**VjbcW znM+pYyrZDO7hSKmbT`&p#D>0QzJ|5@X8)}Z#&qxWC>!-ZyNhHE)efcOS_LKD%Sp1wC&YmKnga{rG5cEX{R3`#T%?hiSFI4aYJRrUNe> zLe#N*Ww67ZIW1CWsSK)1tX%qQyaMc0uvC9^qzDd^Ued5qDPKbk&*DnKnbQJ` zs836iCM=qQQaM`*8m14F3_OU6bmY9j8beQQi}MR}fPZ|YG;(UZSl}f59O3CO8fsy= z+*fH0uNr-aU|Bs{1=dKR^yKK41W|qhrJy!n87OrT_0FSA>%vmJrI?ZP37+z#mrEle ze;(*mQ9-{fSc=r1x?jMU6Iu%5vaebTx!1yJF_bGmiQ(|at*WX^ic_CSc8SWLzgrRe z@grCaXfj*YO`=^zMoxl1Hahbv)J75H1pOcrU zJ}Sk+1r3n^UmD_s)Ve2VVQavOb4<7pO~fz>f1(Riu@K`dIUWMRM1T$8wFt@8G`j>( zlSwBIXIb?F;xHf(d8(;T%O*h~QZaI8P#>`p2(2{$9+=xzMm{xa5y7y78d5U6B1o8} zWsM{+1QeYhIi3vrLcs1I8-zp(cnBp0OotNZ2-ksKnErhxI4(Xh(V4S zXfzO)5BVEiL?cm9X1Rv>Xl_oIW5<%ARwQ3@jj{7#UYg|uLZ@96ssNrsbm^)WIQ&$~ z9k3z-&>BLYdC;f~!-2kr209ZrYXN4*0B)TjYxuNFAmk1$#I~4~j$55lFIlxO)IVO`-54med!y)F)W?g-q~Apk$Jbw49Ob zfoCK;+{r(x!kZ-I*w^%cHlxy2CN|A zvm8|ftI;7G1vxI>CiCT`CM!PLBv(#y8a})ZK>$w(2-(6V(5P<@3XNknk?M?b$ zM+ppa_-t$vfMIc&fD62AGrvM;KiD}S7Z9s1f?G=x@RJ|}L8IXFk{%V4OH&ZKFTiX& ze}|T&UEofA>q_%hvz2}nJR^Cxmf{PF@FEj|ycs@mFQ}m+@>BalfHE@22*pP}HRB61 z#5clR+{3+-9mNonypen&gR+{?WJhw}h?f#l!&9(>lmbZ*ipl3NCn)RS(gtkU2&(}n zy~PNqH-bNSBWTeXTy=}lJORhtgj6T?7%{jLC;;Dp|Brd&GeiYEYh$@pW84AIE0Csw zt2pelHiOGzn83lN9apI@6tqGUfY%`70&x$#f;k2YE<~)U;bk#tio5bhJ1oOQ7dA zF0u8B_f1fUQ@q%v$%vB~lZq4&M=s(SbCg_|t1uWLPsXW!!D$k;BM*D=1x`3i;V|Le z#Bw$cR#zxY>2!=0HvE}>ah*nZ5204OV`8OLuCk(#tK41-WhjK;XQQ+o}MHcSZ8IQ zLqOHbOie`ur^P6id0iU&6P;3TV>3K6D9~CGCp>w1kyIJp-8ISz|o9Y&SguL zP0DH+1=1%23NIhr^8fxXG`4r|mFTkBbct*_pn&FGU8Dx{VJ+rP+&*q^nuI8p>t&J*_z&fw7>n?1nztrtH| zM`;2kSTaF(y}q+| z@Cuazed)72FH(ac)kMfM7TIiH#}_&V=4m>5Ps~9Yst>)D$SW?BE%L~SPjfUwPO0#U zt9T7EF>Q7w2go%*s$<2wLn7>ZG&djZC{@h8%dj)U?5(0CMaoTfb@f+%mT^UwVdrgP zRow>#%;OJC0RvI3iGAK2h8EyR^3zENO5Ld=+Ry!?OZ~NV0aRYKu;9=L@k5;o2N`mE z+^=&B@2;#$U9~i=X1}MY2bd8b_KrKXF${MAUBJTJX$cY3)fPpJMkz8URm86LSJRo)a zWY}D7+`Tny7$W%*TNj~JyFAn49G-zs8k?;_y-p2#uv^4dOH(f;)*loj> zTv;n`g}(6?;czddv_#vG;-9%vh-sT{Gh{1$0Bh;w5D& zUyF7vK+J{|A&w*nnG`+Lp>?=+Gx8XnF(RHBL=L)@b~V2U1#$rF z+itOiVi=y(y*AM?LIx1r%)x1&Gz4pyOfe>s3(A0~2C+N~lnh^=T(^Nb+BGBAjzSPG zuC}j5NHu^Fi8J`8)mJc%!4#_={6hIdN!)Rzqp4fwh_h4uY?tym&T(;qU6K*YN?@l3 z{t;9^2Rdr)BLgUT!~jBuAS&&VRg4~hxB~czmOC!iBMS-A**irUuvl0-vVnjamwcAG z0GJ==O5lzH$^mx^y$U_1U0FBF2&t^nE6xi1A_N@Vj+n*AEOJIBdp^Xqj?j#MX{m4A zA$Ph`_6o78Ok|J)g%}wr(k5&q9JJ;O+ZC2wOQ6!fRn7&~NnZ!jvidon4I^x^ALMKx zfrJuc09OjY9rBWQ4RX^IszC~x4o)|dACC3vds71K6Bbg3klW^NzX+kZXqM15F>Uff zl|aZ$;<`u=ef>InGQKDy%a8{hDH$@HEV?d|n!cQZ3S@5h!FRTRMkQ zb&%^Xfzj4&m`gS+u&2Do-zk(Z`|zc$Xx5rU*iUt{?nVtK6>XSPXf79PuP}F&+cGTH z=Z#BS45E1dm2N7%DE0c=LsBS8q?4vwDRklq%CV;tV%*FK<%U*wE|B;C&)&D~wsmD& zz6Z!ZY$(C8-7qQ1mM?J-R4KNT7-c7drJU*m$1o|1l312Vf)wqjQU>awKcXMHU-|?3 zBl=V7OL~kk=eq0*DO#24ycDeTxm?_NmB%G7uG@ z5H~#E1;ZH&N+BJ4W_eitHZ;iVr}D5bCw6FtA2ftXkHi|2Q(IUQ}jHpcVMlqa3*Uk9dMnu(xe zeb9#!=BHJIi>)wm!z~TaG{$?~P?fVPqtP730LBu%EDt@nKT}xIssRH z;4S0L;qe)v)ZkhKsf24u89XX-$p}Z4>{7MGpk$q`(O&qLVA}ep!(0LXFWle^J06}` z9RQZF=Z$6;O5L6KwD9SHrWPW;LbLWej^f1NtpqhMN>n~c%n7^iuBONyh+yHm`EsP z4>s!bOj&XPRdy&u@uCcOevJzuLBQ#*f-Ews`V?3C018}@EqKL9HLoZ_0F?QH=1-yD zegFRS8vX0)E2uOY=dM*inj2Oo#7zDNZZJn)v`gUp#oDqea*Wn&m_6%i9Io(Qn6YRG zl)--YlVf`_1RcnV7mYA`2qle8c{pD$2Dh6c zOjH0I*hh?DKXxeL8u)xH;`9<*#>LgG?JayU{@02ureJtJ!g7>$QTE~T9OmYHrk6>d zz;JYa(uL*8mU6?fvZbb7!NxO$nj)xi+Ux1xNj$9AixY*M6>}&gN!(L{CI(eRoPt@mDi-s8>Rzy?o8zjf$7;`kFh3_Y}io|emWk39Jp1!!owE4 zM4Z*g=7XIIK`H%WNWKpKGi}@aDec!CNt)!#!BPx%j@W+APzQoUqJSj(RVXUkQ*^Gg zk32abnl;BtWMY?s4wr%se`rC6hepBh??e#y&Lx2%3KHo=1j>U)$p5;Xe{TF{iPZlR z7TN`zZ-F-ACCH!|Zy6kBrl&A5_uywQB`IN1yj3`MX>$ATzF(cm}2Ntt{h`xwvAv_Yk2E!Y> zvjOzALFcM^2ha5}odzXn1TPGfz-Z!}S?1Lc&XABzQJY&PeNuWcFCB#Zo+Cm-qtY~8 zSX?*9;a}_|vg3o}cUiv{IH#AQS1x<}Hp_gcv{~i|kL2cei`Hg|y5+nsx58YR`>U7x zyWhL7U3!^?4?d|(;rny4!(P%f%EsDa5W9G+G^PgEQMSbLC9n}e@cPc(_SzbMwSMas z3Yx%}u~AEhygOsY5Syq(?Px7vBWr0R;t#%Iw!)!(nJ(;}kSb@D^4Mq7WSo<4h&)xkl8FVXZ#~IZ5xdhqOww zmHf0XO^C4WO3D+mU}T7zErlmQtfxOYfN1tX5hTfwF*qM0xZXx4;E30CJ0(nE?tg~e+mmxfv{${IBQxpPxo8Z-gJgVjf)opfi=|A1A96gI^`M*AmH2EJOY z`}YkrE6+!6`l;lOb?0mh{yTWWPHt$QQlj|-UIkGU6#oXcqKwC|ci0`WE@sq2hj=7G zg`f_96~J~Iik1g6NO)c{1pZDL0>SVC2j|WOQUYG06ED$;?~G22hT~DN-WvnxHL;?% z2%wk1bs0WvIWK{cM%xuVB#vk|c;M=&A+o$y+rHU|F2ajZSYj0fErTTmv{=}GrOV}9 zVXmg@0VEfn?sD7un}mIZs8@QO*o&zO3pUCnB;5x7oy z$c8|w3iXZ|OlEjiC^5JuqX`LQ@E#T*;#FfKJs^t#+F>lNz){s8R%GG{3{EIOL|B)2 zMlm_qX~&Eqd<;?gk;I>lC8f&r*a&=d+8?r};uWgzH_BVrzhV)(Z46w&)fZ398{DK>)?NLJuJlkGd1G1U5e|!bWL;Z2tIP zigSmXSsaV*Wk6l@OfrFPL4k}HM`ul^KTh*uV|zm%*JdgRmb)zDTLia@B1!nHO6^=I zKICi+35etpr6MQMSwqtigE2ZLt}qs(1%Eex0;V&&Z;o(h1_fP+qvSjbEP`2^7LY~+ zXy^jJu#PXx*p2zX#R(J#iZeT$)x(OB)91RXZ z%}XQDILcIO3+jhH6aN;^fSNBj%-Y2hROwS!%0!;f$RHjNDrEZ5azb-JW^oMOM^Khe zkBul6V!+^NggAg6h_45+KYtT{CSPbSMxx+~YK%a8fiO_^yhPPVOEZhiu5~nIbpU=PRBCvxRrvC( zeQ1?~Xw=_9GQ)#j8gmXdcpXis!=!nC06N(fHNHcQ&1+zKU`bA-jaz&tVl=+IB!Ih7 z62P_R5asO8+0UQD7#Zby5m-~^0mPNER7n^e1$^aNbOWxVMU)m?jv&df2l6_jZ-axd zPo;CbxyQ8tK}sO5)*7RX~jZAC8NK%WXD{6g~)Py&C{Bo zQk1)7$xlfgeDU~Wuw$O5Ae0deH|7n+_|70mc~^uo)FF~^;2Q%vcg{-i&CmDZ00(nsisCNiYY=-!gKif5I0;`isTMf5pA3`@2L{J1#`U{Dd zG)LafAKmH~TmPghvdwcBcv4Yz*aO9tQ^VG<)UUC7L=H5hlZgn-T<@ArL7;Io7V!Gh zngT9$=YDZrUMS1!BwaE@$L;Wy-=2KwE&??{_T=-=!s*b69l+iRFfuCxzEUp!vFd4sll&fI_L z1izoeG3LhSpM6?hDqD0xnd9mf_I}gGmA73W5q_D298~0y?xVUlT@qV<1UTJ?*%BM= ziy9YwHDS~upS&;ttzA&)p$yje`g2$W53GiAiw8!oz}s|Oga^f11S%g@TLm^T7F)!d za-|AoE08w`?wK{^I>Y9nuwr=1oB??n%`U(Z1-U|%=E7Ep+Q;!3^nDOhRw7?45YSIb z{;pF~&4%u1^5>X1QQ3u41sW%wqR-H*3G90WRSmD40C51b$~YI3BMm|Meov}R%uB=u z@xv{(6C5`;gdT;@rrjYA(K$3?+hC}WwVN)Z_!Gchpo~hC_>t?}g%3$jTCP6@0gW>Z z6pVv<@e6|3>^{qHS+c4m2;}tOa9*9iu^cSO=^UFGG!iPc>^pVLUImLG!X3aW7eDOm zY;9Y#z48uj%B6V3*D3pDbuX|i#sDb7r$$f9I1SLLiWr;T8cn#)T3i2j@Ak&V%??XX zI_}Sa_3lS#L}U=626U|+#-)Kopoq%J%?8ttUVmU*OE5)CJ(k85)yzuy*=?L+nChSv zl_?rzCiz6>=DZeqIg5@4U6@bQ!gdi33C@Mr|+b0H13`peskqF)ZKuT zv8~F5(XQ6Yp5c|+SUW_n_a~c^0|}5$+qt~X^x1!V{^qwozxi$Dm*L8r-!QCiOfv{5 zACYS&`Wf{R$89N*qcB0Hh2!VEsqF!DRQT35m`aFk;y)EG3IAB!fV+(ih&x02gtc{SQ%Q{OVPzZ6e2FqUP0tHONoN!UyH{v*8r(Pnsf})Jp-nFMb@=r({xo&1>G*fl=hh;Bm8x5sm7#pZ zxz|F)vgAFut7cYN1c*1roj$C=h2dUcPPsLevvJuRj%OF=N+ZusXYG$*gKdK*{s<+= z5~wdept-{MNG=H3-Gz}IjXRrcx#pu1iB@e;F_~d8{cVcyvIHNa9OSc-9OUx_dXUdn zN`t-f92VU?qh|ix<@OTf@SeZm-?tS`huBaZi;Ec*Cvl z)!na}Fx~sLV%|!YdhG_Sn41@>i+$^Dbg|cNmd&V(l?wMHS$PhSIKxw9sIbNBZ{4}H z;({IhUahzrXR4LAjM1cT+e<_2i+jyHJI)h1c~qj&lH)n=p{=ls1zJ-xSNDY8CL z65n~eUG)0UBNx1+0ST@U+NWfrWFen=-c3=43=7)Lu;d! zuT5@*NSo3ntRS5Xg(6bDv4x3jpZ8PFIXF5cXFX0)mFJpOCD6z4;L&h@gluegf`VW? zeA$T6sHbqn`57u3WvxAaQ#ORk!5aoiR9(hSwMuP?(Mvt4W)bLx)XHSBTYOkLB%e)s6)@b59Y$w}+Tf6QQPStN+AI;al}iO&mx zenTEZG+PWr&na&}VXIvj^h!fWvW#I=)r{%Q^r+%P)(q~s@J&xnASa4E3{ZoQPO!m2 zmx}T+B=XA2K)YfeljFSX3y;@od6W0%9CS zMpj`gppYv6GJ=pQ%oxX|T4Dj9%aZ|)9}DWB?qRY|7P9KdrGbFF5_?yeOp6M6A|XOS zYd4p|9g@G17dyc#s+F#4cGu!QfLT{v@9{C z;D2ZR#vLWZ)&=_5K>*MAKRHu+6rSy|sx1r|hdnNX>uF7A2@h2qd6o;cYoZzRgsR0# ziFZ}*c~9LhQu(V>ly!v&`d)u`c5r}c&w?pbdw+}mG033-qvB3dd8@@E2UsMo^k1rl2T%?0RGD$ob0Y6(5u!V6Af!syJ@ zR%GeUZei;0J~PiAwa|va-p1~51bFojL?rl@UE~@Wia=aE{_JyOsf=0xHbBY0@7MyP zF&a(GW3a+1!J_s`@O)Qdph(%lWS6;_xC4%VE-Xynfol0RBLc3?>!nh9EqwOZmTNa> zgj@qe$3c+~b4DM7St81tdDbI`Z|kQA-+X!1jo|lVj;=j#V{_?p0m%k^bLE=7`RUFF zcy*=6pP@CH7W@Y{DKmA|qA!Z?u-px4;K3#jVQ#G5#NQ^ngFWEU)wh%BVX???|MEBV z>>I-VkIXr}x4IfP#(Vth)15b~Vbg8B6tJ&=Vj8I&YIK{@1?ME;#L)X4-oK~`Q1k+2nclCFnQ!%kFxTk(7 zRyOl0jeEtneQdas;>*zPl_GX0%58_Uu~YjaCDC8_Eekqq6NRc)u`Rs`6wmksna%*5 zp+dm@$3JiHJbe0M^TCrxKjs~XY*F`kP_#}yaCbB`$a-d;Q&-w1jl>YF^7&rLlm%ls z+N_8rfRJK1S!-UNJUr5+rP0U#(NqV}14Hbc~n{A+|Seebst=<4%fDe%Ju%o%Pn^yBn9`(F+fc zHbvai9Kn1zKAyqOJgv?WOh!PHPNz}^i>>*o z_~=*gJmo!lysJ5m=L%!+t@>6AgF51vny% zD(lFbQ1lGNL-Eqt&wPpj|3*ORf019 zAf5#n57hfbpMwt3**%14Yv=x^6&9kUn55@m#4E~X$-n;jzgAy$Cor21s+bkMsEt4T z>!1Joyy@M7`CS3xR(^YSr7iQ+GQ__qU3KO8n-#O@At}o73Sd6|8`Y5gEi5M)@E^;D zUc$I)^(y{K@g-VYpziX_u5Gdu*FOIYMYW^i%Re>!btOKt0SmVp$82TE5laqFj$VAv zgO$CMp?AkT8-lbEMA_)wG>uGpa%~6}cGp?sFwdM*e}{Qmf;pZ!^oDBeEXF@#8|W-I z;I+pkELS~!FNvZ17IrBfD2|BZU{f3BW0WkX^5eV3-S(|g`LV4~^7=tv90ADu^i#~K znb^<$aTQjVAmkLUl1fxzO72rA67ppSlCClPZh2+0f}V{igFdbkC;1jm!g33yuI z;6$|2S^3hhc~skxg%fRmc2wX%706}$okImT zPt(%Tq7Tk$wQqwe=)uG7`%fQj?L7MF$9s82ggn!@>61ulw~x~@i$L%o2&MLHy5q9h zXU>KgYRTPTi9?4$t2gClr75CL^gwbrdoaNQ!+IRfJPZrh3)T~h3g!;a1rJTVU|c-n zH=R#>LmYb>_>m;ywG!92uR)SV<7)Q5E&V%LkY%p$^ZP397A=p*y#XN0&Gk!1<^4G- z4ag8<+*WKD_}ww|Rka1Q+z_-AcJ&Nb#|saptB4EDP;XlISk~J&+BeQt1P&&wF}Y!P z0(&V%@0D(0=-lHaMo*@M%V=2jnVxc=HUt{^C=|7YQED`4H`lP!p31oAGEeq%?bNWx za5I|!lu~`Rgm18M9Dus6i=Z*vfK6NpgS5XQiVhLt(FD$pwpJvpbPyo1wT&Q%Dy1Ts z2H}p(D#7+;k_%yBY+&V2!0+v*-5Cg0NR90}DBAdIUuDrqxk6=fS9U2KI`4E*wmd_8 zk|Pj1L1y}30(@|H0-9~#yq{lv`)$ZK?J$(Fr42&~>2nGoi(YLS+ z;F*VImoD#ocLYEG1Z)dFMU^BUA)A)`DNnCrwr(q3Yyq5n2yFPxqwR=u;{o1Qf zzq?=DT)(|>&1xJB$Fxb#9NLiN3A(OIQcjrARhWrPPlV-<3~)|3guQJCUYmk6r%3CH zIogt^O*g(i9Kf!^>R}y&v3tf@N!!$R>ohuuYMgLnjm26$blvmK3>oBv-Q2f0UgbRs zOEsXuI<{~$6R~i($JtC&A{Uw2Fu3XUyr%0z%)J*9PN3Tcaj62*MDls!GIW;BwkO>& zQ{bG+aoyH?qa;?Aa~0+!dFcd5`!V}3Tgzu0Uq-?-kNkX?yr1Gpci26UpU}j9es@Xs zbGQ>R0A)cX9zapA!9;$=H)6{q(S?J{YZ_Np>F_Exv9t;X<&I~^jL%s;b(TaI=a|ht z%gm<(li|Q*Pc(XIAD!~t{iW_6Vwe)!!;XTnkjWyeqvUIqd9iX|EBB<-(>BBP2#bMM z-(bQdLcm}v)`bDl148zBc@d}nMFv{vEP@n1n-`PN7Cd&$4!tgE%hIh8Y(1-DN&Xnjp?*7W1%{-0%9s_Iid`h_+9`NgHbQ;PV z{v5BzFD<7AhO=WJ9BHGCP(mdupRcMp2U)77EW(N7SWrLiyycsw#(bb;p9*MzpRfK{FhO5esFFuO%T-KMAB z!*>do{o&lL6jdcwu+#Xh<~cn*8}8*uBeRX(wiNG|&p#`ILL^79p&Tz=QcBu1HJX9- zrJ9o`BD^T@;#aGSg5i z#HUK&mtY%@cyUG-VT#PkkT0^`5;N)B6lHt_Yw+Sfq7fH#rog42P_!$zVFNuu$ZGdg zB^ymP<}ya6?7(CK5|jZrU+<9SnwwWOOZAUoW_s1hAHlLLo!K;w>t^L*yHa7W+?=e< zFq)K~hD}*(8VCSrrG4^tWv$^K)wXPG&D-0T^{wb_ZA{KrvoPnElFr-rn(0w6Q==EP zz~l@$uJ;oIyEKE6JrIqD7YH=A5NV9RnEoNmgT}-BOgXw1@UcL;qT+&CWhCork)p)` zB4(Eljz*}V59mv!r}-eRv~(Br(qm+N^lfs|s$fu`~|qbEq0nBI;NK3#dIs zo(XkrEWzy2ltCtrg3-7%GI>I)gSJgbcLq^C%9fN0}(j2KBmUm;zDyuX1IG-T`r zmUOTIRGve^3vUO|csMl$HYSBqGx04ma8LxGuf*oUpvPX~14g6b2=PJyBb22)>{5}g z*3E_=Bi2{ng1*6bgZdR6`k+5V$!cq~-y+(ZDQ>G?Z5KZfQ$42&*5KesM_FUa(?sz# zW7090fy=+CmUq5=Fh3*}Q(>;8jWkhpg&EX!``; zv2_GJCC&|0o!abR0rEuHbd;);RvZwILveBtUo!0h$_7k^<@z!_`!UnpPE`TGMp&#o zT3{(#y0cqZieXKEinhs_JvaX#KD*PK!rc{My9#jUfI2V5o%_Y_LfknGl;q3$)cQ+R zy%_@cPI0S}agLJR0kA~vqo9P8B%{i(fbe&Re*tNlkri5SLfBjta=1RIt7SJMGB=P4 z*jeBB>MLV0y#OR;2$4)z!@vFz8aWq6KXnG^Fe|kh&yJ2(Z>?{v*CHaq9iAx+L&_?h zel48oP$fA*CDjO#?554>WHRel52gPMHP-$Z;(_=W9P%&%obTIIwp7;eB2yPcR0 zWZlTDW0)O3AsN93Mh?YP2#Nx6Eca}^!Cb&)FUpZV>7vuJR+gPrr=(Wi z)?EECyqloq{MSGKXS=!gk=lv2j+z&wg$k(hl-V)4gv{owecpUxaRsKT56-^6{0i93 zddvKcBSHx@5#h6x=svlVb>T9=AuZdP(@DZOj?eOn?p zp>_L_Zif;Dk=-mqp-ZQ^6Q=HYfB)sT#Fb~Po1J|h13v{2@wm?&d-C#sm zz+SN<6~YX=wZ755Q>sq+8M_b7+;|HKwPDqG`AMdBs8>85;lqfswCz{l)%RAFyT)L> zY*yMM0?kZsG#)sZ9=orVu-2ensy~!PydklkRpOjfx**`;#$Hw~YL}}0;wqFlk4#xexLAO1c9IW!ERXW&=E$HxlaWZl;(@wvRp+URAmP$! zK-N(Ax^wnWF##E+QuRY+*rEC)C#mupZamrir{;THHwb|!!-s(v0Co?;Ty)Ubqa@D6 zhHG63o`clhaTgMTso)*ow5NEPnB*u%+hl#Bksg&|zhncH9zK!e6Q00=qQznUG{C*S3|#(LvGN?xHS=b7D?CiTh5 zcnU(hj}Si0E!sx2bP44m#<{dPm@SIKyVcU~u(y`XQ!8y|25qr{>fxef+GNKkCKGab ztff?Ji$|X;8}jTIhW}Rm8rj&v2|kXsc25mKC`^U-30JTGP9Ml6P^?hi06S)f27P?cT@}KN<7A0sbHQeMthUpTsXbK9v?-W~T+pA4Y6U{G)JQ0|4iJ5|8@zIQ z3(YHy$h`swsCiaPd>+e0S|~-gtt0EQ>@n$kc_2c=E6nwLpwZ#=huEB-!I>J;>keOB zK`StqVYvzT%Eo0APF~*%eNRi12{g~(hT}5{vH;yPXSX~=%8A9cAlMIEa9UhdmwCI9 z^tT_4HFeH!Y5eskxR&E$*ZZ%o>8ntfnt7aw;>e~p-;sXj+|x)thUcZfm1Pt}OzHv44eZyp*y0B(SoWG1EHg zo?`JOJFA+0@cmE}8u?YneeOEkkGzmQCulL=44l5(-TnT-3|uQnd+d>xb3`SZ%&H5- z0_3$16jnK5&soj0!Gs?RhL5~?$Rg6lic;Nds1gRjh%+j#tJ7;KTdWj|v0flA;kdl< z5jqf*(7!^&o3z})g{u!PRds^yL2Zohz*%hHZ5(4&xyNzNX}iL3htx8&DVB?kRv_b% z*ueI>lbX8tF_O3aU~sM!m88mhg*9 z{;l`Nzs25f4@QmhxHp#&R>MxLvGRn6oJ{`CgVL=Kqm8(gWt~kRd4YD3;#kDKa_=k~ zXElE(^Qy|`CG)h{4W`+)97VLa7cvkM^gJ2<&dg}yN{EXc;M}sa*s3&3&|xe(ZMUXK zVS4w$@IJp&7UKDtV@4ZF!S>AY4Ormh0GF}H$+dYKKPf?ugX>YTjKz=$VS7bLfO*M1 zBXm@ipvmn_SZ%rQBS#&S!PvM2`2juk^=L1L4=ddv%m7*4Wc<3TY2M93f~eq>=1y=- zPl$Sl5GCYD1R>w2!W#L5CFVJqkq7~UeAqu4CvRPV7dYgZC$7+qz(Z`h$na;{)*|x9+2Be;RXJz{2S2^ zh+_Xgm~rh`^UYllpvjD7M;)x8+9 z0MUS8ixHVyA|~*-1wQF&>|->+R4cCD-@H}}8E~F^^T_5vwG0D}%dI2rQUIIfsh}Qw z5=?p;N^~-w!O@*yBNVGRobl?UFE6I&S3m#k?IW&lb<$$IQhQ1#Yzs51h4!%EMVP<- zq;?7~V7_~|O(h?3Qm$qjN=~oclyzgYQ87UlhRFYo8P87XWU@d^)4>!2GHE1}j+o{_ zwzkcMar$|)phN1hRF`rDA783LK9k z18r(}e+&?i@?$|-^z9$o6fyXux9v;k>HRrR%*0MXlQ%sS@f@h;Zm+K0T3ugr4;T}Y zhiazMgU!5|xwwBc?VmE|b;5eTRn(Qd#9^J?$+PQVhEPdUI`HP1ik>YGowa)1^I+3H zNw9MFvn4WZXJ* zr_e-M&JU3q+2R1yT4oQHrWlrE-GHC;_mQL+4S$qX8z_6L$&PnO>RtMeuy`s73d5YA z!+(5luAyh0&BtVNgEbmH_p*E)>qP=1alRmHi7oQd4iGP7T9+lU#Gs4Pb|1{TjQP&M zxN_-`#%Ss9%psMj)IsuNfrD8Cf@0t5N+c)AO5;c=7?nkmgL%l{(pHm&Dd*QNejX!` zZtity2Kp+?3n;B9ETSO;tvZt+t}lWu(0iVKmLo^}pUsXlvV%x7%?BZTXh*aR6rjXx z`A{&tN~x?Zx~z4NwR$(}s`8Lp*)Ihj0M<2g2bW&yA0yE8>2Uyg6pz`lw$0A_n@eC^ zg)XxKuQM^O=7QNm623LAf>l^_yR+dQaMH~6Hrl;Q=nz_dse6usj7vD$a&WZm?Z+jY z1Zz+&xXMnyc(SQ||UlYb@jSmE6{vAl3FrW22Opd3Y(;hu~*lywwB zCssgw^gHfvE-<|=6vtL7p_msZ&DKZqo#r1q7t?)daH9B#5Yk{wE+tcP&kK=yWc)3j z&VGbiW*^}=0w+;Rt=t}M<_T;OCc`Pb5rsWsS@jrN*v#I!bsfYGXn~g_^a%_HUr^fi z_W>OzdYbUH9I*-gX-LludNc6eWI<|x4^9Xw5HBm7NwkuQc_d)~Z&-NUyUwnK=SVaj z1HftXqvM)ft((~`r2YY*zYQZ1-G};CrvR2w0wpPs%DY&I(30 z7G~&$eqtgnaK`cVo`Z%T302`BEx7~BaHd@<3|zRvz(PdFnR;g^5isN%Vh1622}G?N zySHR_3n(i$qlg5_@cT=E|BDj%KfgJqo z1U3N~Pe>G~cvUeDvEQPb!hJc=fOt!i-R!dz8KGG3VB>_ZO~5SAKPRg%Sjsb>*EB%{ z!WA^}A5bqsD^SDXg$4h}j`#*F4A?o&qfr<0{h=F?V$gy=JUKpEkfHb5vRE9z$RJE0 zBeDpv(M-@B zDEG3MAyk%V3z0zuE7FnD?BdvonmsWo9wUmm#KbpInEc9bK-Zx*t37~%{qz~6rtK?` zR0GG7RL-9L>FS@`j8%T~%}V^*m21!6{08R4?sPPK^V`ZV!xj7piQ*{=z5M57_tC(| z#x}-$2F~v_$dAJ4kA`sO;CNsM>J&5ZI%OZ7;gStC&}zPq`(}p~3aR^2XJP6p;I99) zV`l(%i84-lIJUz&>w$jLcvaYN=U#}A@aLZ)DaN6g_pOhHTayu(j;3Un6piO`AJ|5l z0NLh@l?!o4d=XVT{El|<*Dkdjs%DMObnIR(%v(+;&syyW1O`02ipVIbCugNZ0QG$AQQRV0j;$O{S_B{8cTo zNZ!7i3-zE1>cKS+o-JCaBKLI%ozjlmP{#hK%5Mgo+c@ zhq=&_S*Yw97dI%L1GtC0qQgT}HRRO56} z?8B2^G%RRb)Qj+_O_sf^&Vl9%7qQ#Qy>ratyr@{HiDM5u8p^k-D-Vc~Oy zi3AZ%4lbTYKQ$+>bD4^4T3UUr;yb`IiOC)Q1AJWOo^ur`Fk@h8*f;FM*xhK~w3t=H zYkYBLg&E~)BJ;Q1wi zVR)S38&iwU6HoQ}0Zf5ap9V2&W!1^U*RAk})CA9mxFSp|HQ_~Q8}14BU0WE+Q~6tr z!665o_l~$d0N2FsgiEH_Z5#jj1f>R~xN0@3EG}dI{O~lu~O{WO2Z@%Jg4t z{L)(c#c%n=@4?UErZ*((MrPP3v8@m$HinS-7-pO@j;8J@1=ON;j=#P5hn@za&h}_m zU%zL2TH_n){>p{F#;W8o8m$(~y{2R2!oNu!T%D?6r%W?+)vGq=>!37kmW=tqt@i`N zl64Y}M(JhW;-5d_yuBy1#1EU;WWl)7utFh4jc{&6pM>L#hwM6NxjC(O`#mTF*&%LQ zU)aY27sXUN5Uvl3KRo9mN1kon;oX?j8fEScSSb$YsXP~-m2bLpo*)A6(qpXIkfH>2 z*s#D>%=**v-pejqZ-b(mpB6ro*Ee2wqi!NS+Ijr&9*7l(hx2T~T@s@{@YaEPIU?SLro1jz+y^>aR)k z;OLpzP|z6TG6x$Y%>jQDZKU0t?W8y!?V+N&L}R!=8_JRkV#Gfq{7jj2CvLi**UzHA zvwT~>_yIH}uXzT0U*tsR73vOvrW@GMtPDBXA$?SR`y-8;GEfc4%ySBkGTW_?M@Vh? znX(Mo#zw7f=k4R=AK(Z(N7S9E*B7jIvVETaoUX=wIUEPsmNsg=TGx?#S+Ex7K*oDM zogN)^cc-i9)_!-=J2WzL054nEaa!1MS`UDj8lAELy+sn$))v`NxmkR1<0i??EwtWm z*%987`BifUvD;RC1000G@Osi6Vqc%s*enipZkQLwBS=s@@Sg!933#5&H0Bk7hx5f# ze`dv~Bk~0kXU_=NL}OJpQ^N&KbQEsCdN;=RdE*U&n!dN*a(iZm^=SCG*ub1vd8Vojd%?4X z_a__rEYf{&FKNbkE`K!U`S>h0KRqa}anj6O1D6!eH^^V0_JsSj5#=SSx<%g~I(?YC z^Ep)~g?A1_ljJ7M!f&me!kGQ-g@u#{-N`O3n;snzoA2cq$zuN0P23`S{K|8Pdqk3T z1g{q^Aygb0&k&_!mj9@=_WQ=hH05umv;BPt3lM=C($fK2#b66kx3F3SS>pQKBh?hi z1F;-LiiI$TU(p?46VfeOoAe<;kb+vZ9$+7~JRQtoa+bXbN@Hov{EZX@FlT8Z$lMSS zAaqdhKD=gtPbVN3QVcf75n>VLN06K3<;|VHe&hPBwYAuBZ1$)ws!3H!7T3yq5_yid z6Z2$>wlQ;Ed>hnX@(VHy6{8Z^SrM=39gbiS(;6&^fga-G!x8L5vz&8x!~ua| zOQb2PKlvWG{*EENiH+0OB{@}N--@d8kzAcc_ge2ON;m0?%BE+f0V+#|-OYjIq?NzD zs69cXHGQlFzxr?r6at0pkIg`yopTz-gP7q}>^QLfUjm-R9Ss{7AlFJ$l5?fEx%X-? zwS9@JoIOS#XAe>q_?L;2`iBXN#BMT}UAVjrA=mvbSkEIti$%z=iWD$wFmmEakuh$o z1RmI&)m`WWucE5t0E~VB&*i1@@VxG}Z@Q(q`f43)Ro(SfO_}z==!?g=>Nq-FLNzRMt2%4BEs2+& z!*AhEv6}5Kb9ar4+FAUQJlf`G3%2vg%xLAZQfrv5JQUfJ8X>cwz_e@gV~i0J*h&~U z4}%@sD5fj;K9jc7GaCMmJ7cJ)_UD4EKY{H>&-#wdF(E<4yB6GQFv_#8BE4CEQV$YE zR;3VaOkKm>woVmqvBEHoTAYt0XAQq#SmJv)B>gQN_W7Uax#vG`G2{=p^o}v^;iU9? z=JB-3p4bHNwnYJ@(ZC3}itn)ch`P=rA?s`HTNN5l-3_?QpoN2$f z{Of=GpAcJl2%86DQn1dHG5LLI-@XrFia-{ZA`(34&0}ksFE#ln1ugHp8EpiCn$2<-MCu=0n%|?Sc#n89OSoP1a*&24*!nbWp6wJtFO7k zo;)@K@#(jl_p7^JsmS$fkD1fTfFoMFx#nZ!+HW+}76lNnAHvB&Xhme~Q%TnIp767W zcH0nvWd2dEBSjt+3^M#+$3JolhNaNPFx2tSV8uw?My!tE!cOcCWGq2|3}f%WvY6&l zk*5+?>tqH>eV9eSYGZTu+_|%hDt6=cmUl9IN-|CGRIv=C`7G#U)jy!YOfC5SPoX%= zsPf(A(NSI(x4jy43l2_kb=qez*~;Da`n$6O#K#Kk8hr#hs+~RWsg_z6C7=KnupJSv z1Flp0OfQ{QOOeqdN?5!iP&=A#urtTta06Q5#i}bTk8rd$TyrQ%S>WjEIK+dXnEOHY%nAKgI zft8r(^NP|dmT6qU-`c0$!tqJ9V+JWde+c(1PU%PI!BAr7N>Di>>37b99y9rBVCliW1{nKRw;~fK8~3E^AFRDftiXMBJ&o zWwhKGgHakQFhj$n92OgEHz`=XJAlRp5F6;e2@I*FdhW~L(B*Hy!#O!Bf*BLH!F&Ac z)15b~VT*0OwApuG^>Gb~pbT?z9&zrdA#ysAHqO)W^M+}P!ga8MuY2mx8uQ}=zGs<7nJ4+y+Iyc{Rgo;+Y&j7EIJQKdI=4D!U)EmB{3g}}op~;|0btS_ zLU~!?An5E$X;mL!pq*#mzk2=T<=gGY-#&dF&+XB{xN|tj^7+S_po*U9TrDZ4Pfm96 zKGMToLjDFZm~`d`4>N!Biw9}Ptf1|t5T78Ug5HIOjKlKa1w`Zw&?bgflwwuKN-K~t0&_8EC>A{ZydOuJzJ z?o#NhZ~oeN#s*mxVf+hxNZ%|1x?-fuNpjg4iqBtKX4 zG4CFx9b(4=g&pDcNQzrn9U)+e+vV^^`nYYz;7kp_Tr%W!KA_1+%#U>^=-y(mS-Iws z{{qlb!a|AX46t+5SKQ;sBzdUgS_vQQ|(14c5Zolr8+ig&m330XaxeOR3c=c zJuqFAC}IhDiIAP_KH?c(vhsOXdERQko51aoR5rC8B2(5;sLFz9A}$gZ zyA6AuKyae4LDA~_CLY89)II_qTMULs^K}qD?Xlt>P8l(|ru=4SJS9B}qTPk&BrY5E zY&b?98B7bZu*TPyqLrcC1ref8c$-#A^&=+cWyC@FNaK}Fo_3ZylVvK@lz?&_VL%1G+W zJ9Q0vGR6G(SKcw`D{3UYYA;nnaGGHXyFj)Jg93uMQ>f&KrGv6>-9ySR<;JEUX{Xe6 zYg_ilU;DerV86S~dVPeHWn-9$YM>5bZb0-L5f&9IkPJLmM$E1W&Nf$u>Rkv~1-4aM zom>2=-%Ig&8lE3vlo9iez(2zM4sTs_)5`?ORbXi4!tZi7W%e0`#JgQ4&b2mChA+he z^gAWEQyHhj11N^n{Q5CFq9Eg;MJeWm!7u?8g{d=yQze)v1dE9dl&r2@sjhuwa5Z`R zmKQ`=W@p#$k0IEic@xZEGuix*KV0wi$&n>q?24QU zt4lFl(9IZV1SP_7NSx!3`mAK)FzE+3o4RXba8WTw7y? zT>J6O3bMO8FM=b%)Ih$(DD{mv2W}7diqD$vZ^1s-EdQ@84|nCv&K>c$Aa<%;Vt?+- zWw6rIuJ@W>v~PWS=XK?FsFiwN9*%fVAzJvBrC%&n#s)Rdmt}`KY#H;O%}bFX}anJdH3W{Xf^INC&LBO!p+IM z{U#qFe*hN<53>n$b~o4nlQ9YgAq9naoW$!Yor$V9A&fBw09;r{QqQFx*r8&kW$@RF zgRBZXtt2s`tCp*tRu_7J-7cKp`Eof|XC1p3@-OBSOWCKpTUN0BoSle^?c zn*3`RqeD|vfvIEiB4L!IFIar8QmHv$t>c@-V5licC;)?5dLU#I$Y~C`2i5h%;7lh|mY?OpZ$r4F0+VP_!;)WvPfx`MUXb#j_{VwO`R{@$_s^eJ&_V zUb&r`b@{a2&VZb8<@CbF`!RjYbsK%PlNqqWr(#quN<3CvL6z@C@us^W9)V(fol2$+AeAJGK(raTJuyKo z?Whk2;=-GHG%Qh{D27}_`XxEI6Lb+gKnQ7DVRsMZl&l$|Nl8j7r17-W3B!gp2TB|f zL_Gv@4k7T)934RNP>_hi-sRGBoaGfZUKX9lPMHqC!*yFcB(~1U7fpRCB20n z9fB_1>Iu~115$h{2Sp3$>2>z_PEof$bgL|JV_A-bxLq-cltXaNgI7jMGiPa;W|>0l zV|ApiT==E2-{S4PHX*R&T~PTpS+poMwn9tWS4!KJBVulLS9|PAQ59zi6AntgSb8p% zPEJtaS?3rp<2QpLig9^Pc#4+?Sqq`hjij*4HGphAe0EKO52XR*g|&eO3amQhea}!c zKkSn^!>B4ul8QX%{%J^f|9mV2%%%3G{UaP4Qkg~afuqi`XRraJ0Bk!yE&ACDu*jg= z4w#jQnr5r9mGoLUnnegJ-^1CANJ4>2%W4%o4H7C4766*S&leQ2B21wkYm{JI+k|7s zh2fC(cYjq9L2@xod>=jNV4=O2QY$+g#b&SGM+iGJDu;o-N_EJ_B^Av6ff1 zcA@s>P+7W)0-56fst=0cEP=m}|PMH;)cdB3rN|4JM$kH=alh3|{;w^IfI zxkxTfLKfW+(MK5}B9F2CUp)Koxpet9g?N)om=Qk`sTcc9$ zoa{x_NYsk9H`nwG(xSE>eN|fpkR%$p*@%JA^NbP5Q}&39;Jb3YRDHDvKT`wo9jTqd zmH-zCim@(39otFjm-6niTE*-J%EOjbhv|tB*M?P8;ZRNk$B}K&$a2?xY!q5B<=VRC zqfcPx(i4wsaPa2#4^eB2ciRylS7X0juee4tw@80_{rZJpq$QRoDxn2lxist9i6DJb1>mglKk_)L;(!catD=64GP&V{h%_k= zv|QvXKjQfqi#YGfZ&k1$u8eBQ^J6HrasJ{^@TC|#2FAxx%-USiP$|9ft)0Jo2WA1< zBCCfW!Cka0mRQ1TWSj{`9OYUjNz@-*85<`+%GiL}Cld`Bf=E~|+{B2%_>4bg`k*Yq z*m95&HCA+xT=Br+cR&BENQK}B&?`_z6)DXIUEUPDYXy>(w$y6H z%l*;lPH=i45TJgSJN$UGoRIBg38hFloMM_2|5F(HXJm zj;y5JFb}iHAcC0d1rUgw8#f3x?JC+2PyBJRVV#lEW5wvsm#yQxM)fgyIGpGg2&ue* z>W*U}&uBxD3qbk0>=~sP1FX!z^ubn0TE)XI31@ny5C5(=vghBue)2FA!DH4W$~i0% z2vB$lUxWROx2FkXlV+NH^`|%6mf_6SdvxK@cIL_nAWG#guP6nH*cJTunzQ%alX5$p z{h^Lv>w}KeJ@opsJDd5lJNM7aUk-D*rfi@#X9S!LHTWwzBDTt`f^l?Cwza>+;(S8U zd#DgtOA5q`d%Bnq30L(Q^B}r((v&uBBu!)f z5riLA3YsYc2!ko8<^f`_+m|%YO8)(XSDX_^+K~0y_?T|Du{SbUz(6DEAmHV}Ca7ZY{GdMWhhfBDS7z=_1eSI`%YK>+T{A(!X$8FNizu^ol^3V+oQ049PCN~#ZrbS zX>q2EI9|j!0Hj1rnu&fs*e1{ollKi(MoYpLSCEAo_|>Z@PA!=4`Gt-yE{anOdz3UB zz>im=?i4OG;EDug*(KK%c@k5xOJUK(chjs8t^(#aOJzMdAL9vUvs*h)zWYM3o5JF) znSVj#LlFUWQ<~H#(Y1XF9J%Pi*l-ZdvcEO%ZhRFNaw$`z)OvYvR*J&HvC8o@ zqG<|zps?$4zM0xRt_FZKbv7K@H{m+~I8^5*se+;>te6~#KE7hwX`#LBB-Qq=q} zif!b2~A6RwrBf<~JZ%DNye zSXZGHD-kLSY%Xii**YA7Re$lQvFi)o?DAkJ^m$Rni;BSA*Jb+!f|AJ;m*GE|-ix z?7Xg-(4~{k6y`2MJN~(UteUOKmBq8oV5W@VK`Am4KN=3+p)x@b4gN?0YDj-l2B-R8 zc>~S(boD(Ec|UIU07nGH5t)E#@nA;=%wKBUAf>8tH&t|oACuMN!TAzw9w-r>&*~RW zI9bJ92q5I(`1~_Y(tw>P2-=K!yrviy4i#LWz47OtWeBA7q03kPKn9q;oU}Kfz>y1c zCs;p$^DvV6M_In3ANWtaKfUbctl9YThg(sf9=-W{_T!g7e9`!_`9rG-C7~Ylsx+?j z4LTc6y-U=2cMvb>dqu@TdX)QvT+U5B&ak+U%`tOCfa8%_h3g3^FW<dY4w;I1zDe9EVg~(&6lje)!;2e#{Vs4~N|*j@^|#7`HTw5 z@uv>^&P#C=`$mN>btn#y@~X23Ck;xUsKM*?aQoxjVu(gYM-aH}w6? zxy7Zq85a0yRI7+X+vHy3>iAZ%Jl-`#Ybq>vj1r2Bp|6+WbS{SU=(@Lu25oH1dHN2?x+&IQ81WO+2tLFEOlJXaj}!c>vWUuwWgK^v>2<1(eM z{mQB3J8vCf88C|pjVdUrC-g1AEjdE*gp-PZOJ;p3g%v8Qel@2n%|}&1<}y20 z1)h)btV2l1Xw9^fs950$onu(b3V-y`XNhq!sQ3YcO_hDBfC^&L_-X8NfeOaecY_haM%T2pEkp38jSK+ zF8GR62n{SrOPHZh$PDmH5*8<8${ZHFeT9Bgs3PSllm@y)o?e}`Lo$(jc0P&v>fLEl zPb?4=pI-K&JJ3i|V(cBVj*QbI-7w#sQ%LqZ>uApRI*cHk|Xd+ua>BU3vXgWqWCW|RW-XXpQKNFDy$G_bd9mnT0v<@>(oo90(%}CSL zO7?chmoZJo!x+=x6M6W$Ou}IA7{do!J4|4ajtwhPW-1g;3%m}@w5|GFk&%Y$SP{E+ z1}38l{Ix^*=u6=siCV;{+a=GQh(@5*dSgIbC;6Tfrd!nW}FMo}YbKqM#@5ck##NFw5Hgj$u88ATw zglciLXBkDQ;*^~qs+RpTCG1b24K$8q2Vn*rai&*H_7Mj=6=dhtfSxi!{8GY>vuq<9 z>|rjT;deW0@$WnY<=-FIqybULgpuW(QW@hMSHdHn{n_U4_vc^#9@Ky`ad5cB;_*e`CMmF<=qk|2aXggCu~PxD-U zcIvYNz=}M?Iy?)q1Ud!NY6}eqL*(IwH9xY3dO5?wVysk{Ogqk~m6zn6YEl3oX zZEAW*B&E^*KxVdPcIC`O>R5>m%$ zS1wU>BkkDQByuu)mu(m)Pbbqks8kRUbGABrT$r(wCwAF@=8vVR<;mk@vQLq#UiYAi z+_5CB&wGSEX?yoUes{B0-uRq{UcU!bY2%XUTao80;adS+zp^KRcVYCmfH{9r1cCo%?8#C#Cvi{^u{uE%w^nfJ(qIiMkG~VA z!zx?3%84y@g}%`zY`v1Tm-_UK4)Z4IWbnbfy(#!z4h5KY3Yn9 zGM91?_0Oo*W?kwm4ksa5p%p-Kv0dH!h|xE)KQXp{8!$j$3b1lYQ*6o=vSU~`}{M<9nC!DRn~2Mh#I3_ zT&fYWZpl@1m3mvF-IUlo_1OGAl9_af3J8SrPK|wbCe!s~gDf$6mZj86Kp+$H!UyP<|DqKC>;Xn?@cj|v`3H#&+lieuRhm}I9)#2<~PgI_Agey5BQf2O@I zwv11%t~Bka9ucr9odpUifMo$ghoDYOk+RrgRMtr-hJH)RA^NBd0b&U#7*|z`+C@yc z0arpHvmuR`(#In~&df(jftr^2Wg@RC6_>7L8CR683!9VLPGZ^1)tEL9#tZ<_LTHF| zP-oifQ!$)`iQ&bu5G-EPkWe|YBNK=28GH=Ab84QJ_0g9N z_8^F$9db#KW>!&5mil+uY(mh8MXb>?zgP9&4mqPHeQfs=;;fA;)RE~-;11)R$<{aRTSU*@w*spBnU~tHP`|c(!>_aPKQq=^6>fYfu zG=kX(pY*@~_1`n76yXcLEzdwu7&^DZ?}ziRA$iv)7RmMg`xx&R5Uo@lpr%wq8AZu zQ;+J74lqbrk433lcIUj0a$khM-Mc5(RU>=z7j(!itKYRh-a2_kO3ut?^k*)Ax2pp~ z21)$k@Vfr6@GJ5_4Z8Vz?aSNB&tP?tJ8VlW>UDA_awb{Wl?CbvzHkDc73M({cgYzE zc|*)MWwM9;M>aw5$UF0cM`@jTQ>vL=+dfcsmIs9L2;a-_6xAmvj6oMcL%wARI|Hj! zh!})f$jAS{tC;<#;Oo|i*ZqK+aeU-vLmsPk+?yX!+zn&_CqlbeH5I4m=Q($=0xRe@ zfC_vWXiyQVo@*LA#u)-B_NQEiCFQ)^ypnLTg|E@7MZ!TC6%NOBBD}hOp?J+nM}-3;#zEB>wp=bn!}I$%}fIPe6k1 zSKjkNRTg%>SEhH}{6LECbr!?9{!6&tuRm+u2LpO*6$82!cJ}&ED9R(fY+v6gYhNno zEFlK}3WEUG*mGKf>pU7#q=-%Df#y{VS`y1a9Xl=`1^%sEsy<@J(ms1zD1{Z}Alk%@D_Mf#uGA>NXXEh_FP zF#bSF%QNB!!>b6ONA<}U-I0F(pi*aRE@{n$r-9}r^0NB(h4jrHaAz9a_}URhl#b@htn~j>p*pl za%%=6h_*^nmFy-(_>rVCCmsp>!$U_0%Enn|usa0d~pk28%dS6SQIX~Q`e7E-viI48?*AHU@saVffL-`m=1#~Yx2p#&{qd5>c1 z9C_zRc0T0Q|O1;PWJ-N6tqz*{`(EoOjqVI4#R zn*I{)_j1m4KAAE)&;|RfxDvW$@=k6W)cV$)_Mp*}qYQrTegk9Qz3OkzNj(LdeI>sH z4wJ>Ci4wWqLN3?5KYBkvOoVZd=6npjUwN%Kf4vk*V#x=mBwn~o>>U{rjCX?v9@Lu;MZsN%v_IT%d%B3s=jUy+CWV_lNG@~p0E zvF)2|U%o@1qvqiz=Y8n?=}&vMAvI;IhFw%!S$da-9^p<~)nd(Jv{c&7FH8V6^RQI( z_D4C4zkm3Os zSfcJWwi1#k|A6H7M?G%*fS!Lq`YFW5^#SCO2~yvk8QEtM)ET zWG7|CfhVDJcc%G$r}ud!V<0zK~+IvxZj`#?NNh;vq^#D321oQWFx_L8BrQ z#tsfbDvo2;qz6WHUg#GlOMB!CMXS4CVGY-}3>arlI$WHbRd%siz{&TWlkmxy!QyJk zlA!)uC2#No(o9Xp<>dgQ35r|~-yy*b;bg#y=mMi6-%q;@unPd@@9hXmciWfJsqZ zL|feUtT%!o4n=I24eO34nwzn2>hqBfBwqol^~F9s#8kK{cpub;o!oBD4=2)B`x;s$ z_wyO;{VJYJAsaX9Vhke7RqsXqDjb?C88i8@K$NLA{xdc5S5EkfGUmcu$ID~{4$EHi zb1?QpNU`Z-xox z1B{gIYqUx*J_XO56aJ*ZN&v{*FYWZNG#qPG-mJVw&J?h$x;9P|udHh4 zlH3#@$9$}PYKK5D3B)w?T-*A(6j903ozy4YWek$tUl)Im`Sl302JBDJm!-_5Bieyu zUo!_>G`Lni>dcnc%GSMQB}vn0m_j3nAqh1zK|Vy)d9k6GZTi#C>qfhdlhy2Y8k7Fv zQVYsRkU?Ze43h}NB|a&vTrsJD)4>5A@kuV(-B3i~D~{(CDNUp|cHrme71b@&;xFzB ziFpw#RF(#ZYf#Z1T zJXm|_lqm3pnk2b<&Sa#mybMlbtzGo(^6^Zr4|mKjJ>kQG#1Yln9B3a6^Apm{@j-95 z>dG_zG^X5Fb)ghsgqJi-71XMDp&DG{6c!y4oiRF2JU2;gyDZQGpfpy=i6!Z?Yvik! z-UUVuCZdoXlFyyl475!K8?J*=qcYY{*rA62fFn8U@w%7=RwE(HmE^IsOB9QP435Gv zB#l!Z0`h#E4)|}%#SI*c{}#YI4#szRZOCPT_Hrn*Aal43h$^<8TZ}mD$vGl@F{`cG zO)OAzIM{XZ3rk2f2-It9aZ5Np*r3mwyFtCvwYA z524Z-iOAp2?iQ*O{5Oo-9?%PZgVO6R=A=Yb6sEGe1V@||03)h5Z?Ng{bRQL2S_6xq ztCx#U(?5bHgeDkZCflQ9DAylZ`%xJ#yCHB5c|Wz(PfiCSI#@bMKnilrQs)`Ku`&jh zp7CpB2^Zu7$ly^)SsI-ahW{4ey2HUQ@cFPCUm@3zFQYUVTEj7Phoz_ycE{s#?qOn6 z@iyOHgt+0iBVdl`Asfp>4Bq9(JTeDpdLbbNx?e!nKP{jR3?;RvhzLU82j!J}sGyWW zS6{ZNtffXUyzKdqP+p7#j;NI;rs=DzJpx{PI0hrS!#|f%H&-ZARMRU0wl2!_Y(9qs zO#iHC_8ocf<34o}8i&30H82(8X5IqRLGWm;46wE~>e?FV8(v7DpAZguF%|{um+OEj z8JqY`8V|K*r^-ISY!UNcxZE$+J_vDrGY^6#?d*aGCmg#Fm&rO%$Kmt_!pYr-60+M) zm36gkTD)FW&z9PDX6y^zEs~B=jG6mrivOS~UB8T}mJoXf_|ao1>&zs2Q6;yyhl06& zanO$kGpVfcUk^q824l0?GWFGxDfU<1*eVeNSq{$-AchO?@Db`oru}~?i2>_(Fm~bl zSG9N8!YQ$cQ%B`@=kR1$R!`KS8(tKl#<3+_CsMnvm0D=rbYi_2d7=MlTpKnI%TUuU zkjTQQO}s{;h|FTHq^!K6Go>Q1Qh!zL2SwX%HcC?&6|ECZIo0xspvP_85$al^lbWP8 zKxT9t?YsnU0#)X%s;iyu4T)U46GJvdxvJp2&pheR`hLV*8!KZVTs5H(C)ObVCqBH_ zqbyW^+{*IpR@kHuS0eBgysim8tq^n5rj41Ds#=mfR4gFN-LZ z{L}L|HGQ#EdMcJ{rZ&qpQ;(HU(oV^UF$Ux?D(u_;c>*RS)mT zhL;U)CT$8ykTMDZejjvygT11~*>zy^XS03d!mV@Za#pW!3pW~rBLEShGO2?y9U$*; zab)AJRwF3y2h9fre6WMWOeua^!tE@HuPU*vU15tnaE5@@Fw1AJGM?5Co6Xkd{l*6V zYdw6h@nE9~)`;f&mT}75V0A7FDt|t5 z=op+s-~IW?bA9yD!MJlc$nv?+-ki^j>pHUteC5b)VEj_%952p{t8*WR-CZuv`jyGw zW%-}7YY92t!|acJ7_`&uh79!D$(C=arC{%|)YPDee<5-Jdy8QO0(rAsGiE2UvyTf# zu*MUk++P`?ZYcK=N$W_JP(C?bDU9=iywW3=br07xh#d9*Kzl$+uJ^NBbJUwJ z_75aD(VY*!V0%__W~DhiceSfgMn;IS$f}p)IY$V)@+mI<*J1u$@EAfVGVn^<~ z4ju6YR4?afF+Uvidf-Tqxq63dQs!Ya>+A`ap^$Fi`Jf*VDN_1Sqh6C*7zkVpy0{8K z$_CyyyO%jXZXXoWy}?khnmyx;NUlgkLde}0U(24ei=N4DA1eV$hsEyUK=MuK&v9_& ziq}rzYTG&JjD&bdQcxz_PV$5IF)ti3sK)z9?RNEBMDa zrN9M7Vw;C9;438{gZ;+42Q$KA-nYP)-vOIndL7VGBL0Q{k2`O(!M>#x3f9d^gx!^c zdI=rWmAdY!WmjM_t5UOAPiMCIAb+;`)d!*^Ihm`y+CQ#xgiGa|o^j7i2|_ZIx`;QF zRzX9!lZi}R${|@)NwUhahEu*IgrITp>kYzo#@-d`O?Yhk@%Kr zY~@HJIg_^n@ENj8r+#*@H|-kj>37lp&^NYzbT9x@tJ(xsdCuFO6tGMRgVzldxGHsy zLR9nuKZTw&>2IV*on89t9J7-ED9-xJ{^1x`f1o*yr$$4qPLxVR(J(h$1*!HzU}9yIP)491yC&H3>Jyj=TZP;}n8 zn?Gx9!Fu}qv*Nh!rQ;G$=49{QYoXZr9`w&Z6Ct*WiF3EZ_w-_M-h)U+xXZ~D#x4IO zfR?s}zJHKyH6A2HJIQ101%rzf9%F~8Jf=jZqvsT{&n$wxiX)x%;#qX z^Z7ii_j_Jxr3M*sYYQh`>+WhIrdm0 zlAa@QgqH$fs4Q?i(jcYzJ>q}FJUAk_Q#tK2f1F*oYh2wu@K zW-teeJL}mPyJZMJ2Xe1rIn71Fs3gcZT~H79!{I_|Er@xCh?x?KtMS%GW|>|GG0`Y2 zKH9Eu8iIL;`3Zy|YE(IG6>cWC;;z=R{(B}$NW4!YpD|?!M)DJzp$Be2`Hb%{zffkM zR%6|0*gbMb9WtgpeAKz)UOL&1qAU`25Js!+-#(HC6nxQaM#sh8pswPAb#b-=B6&mc z95Knl=4Ujbhj6~_IXlnvP~o&Y$1H{3!stgjbqXsKMj+b6nI?&JfsJLr3~QJp`4WuM zaWvE(_BIks=pSMt9P*zqc6jd*ZJp4~cLcic_zN5-Fj^*u@UTCH6R%rLLn;M~A8^d} zx$M@rJ3C)+A?dLY)-dB)#({fOSKER)ihgcmjI%kI<}j10Z*yzsr6k1I<)j`dQ1`7a z7hVdYx}K#hr>&38ZVCaHyuassRksVwbzS=&AZFd~9*naae{jVokodT4LliIE4+U#( zx9(G1?61wLC>D>~L`Vp~Jjf+X+x4#DB?b(Scd++s{af)f6KqYqgz66wKOuQJ<%=w$ zrIX6CP#AYxQ8;$kKoV_?bA!hh51RJs>1oSJR&oDaIZP*Zn1bbgTJoAI&!CVdvW(GW zF&s8q5ANPA0kyZF3|L2MS`FJA>LH{4Ft=NqfZ%-*TXW%d?4hDr#t?xd*B7L5&<3)I z`cxndh$&2`0|61ZqsLhW#c!x#P&WVmEM1FRRwx7n+^EPXPp5T_hzQVLq2AJ>2L-JI z%cdjq7lh<|wHmGvSiHu)?r;v#kjxFx8$-LrC({mc!f=4QP5oVKL-eyMVL9Y{1UW4x zbJTdEqvGstxs?sT;1t}PIjMzsz$$B)gnXlnqwbFoffJL7m%Etlan@kSbV>mWq9v2$ z?pH(A`t3`)ic3#SpE?90w8z%qzhNaRwt-+T*mbx5(G|M}yFjxgif{TB5Zhv9t;wud zwckQOl3z!NmbNWdadVprr7ARbTyDa35B=Q(7d0<<%qSC1dSYXE8YxG5`sN%4nOlx( z!^-W86eXzUu(XfoNc)w!s9*o6YhoA9p-BI0YPBO0UqhBd1T$7y3T%sTzzX}oHk+PS zk5z;UP#L{~?RsBQjQc|6DKNx~^-O2gv351xo3-$P* zI;O$)$NkB0jKJ~<#`K!X6R|?todSiuwTaBC&C|?<<8^2ZaG(XGnV=YoFazGPB3W;7 zQndEPMP_)CA3`()=UJB(v%b{dO`T8PBC93GzUu(M)4lQZvKPO8fJDx{7SIXzHt$_< zsBtYrSq|RAcl~@Y5&5H8zL*b&dG|n6RVyk&fb}aCcx?-2-r)k|BIEm)xi*(V?%~N3q*CgK|M#@GA;2nuu3-61O0EyN`8h_)70Y_PYk6lar zCoX^0Qex3NP6-LvAix0o-!3Tz5@ZMx>nT6pyy_$d%8&Z)rO|^aWgCEA#S1q(9(C1> zU{4%Kk|$X5l?H0}MrygapG%6;R!Ljv9Rsxuq$P8$E_0MV*v;IbL^cmP6q42W6$TF7 zC`*C?k99=ZM0QEkibNQ+;c!4YhlpL!vT=il+cXvgXQ#rDeAn+o4FGGX^C|QoE(C4D5Wr$6zTP(z9ndofMRQwN zJW2gX9S&krGcX~@Y9L7n(T*C%7o5wbFHwrQupm9(qPP&P_>5rJ;0tQMwX2`N7bAKE zSF6x=UDDmpKVx#Hi5KetHEw_K0E8BsT#6hJtOHCC zz$7W4GgemJniE_-{0u_wNGAwrDF!5^z zkd{8s1$Ehb#pAP(AbEUtgOS((B``5pSLwi*frBfWz}lN1-~5QM5cHJc#oZDavqz7v zxwweM7q5MRkMN6x9nEga=K+8iW!IX2e}YKsE1JlUnzx&O|KUb6`)7v#|1kS9&u_>? zOO;(S`zdQdB<^3=WLRcS1EwTm?ZV|s?hY2KN~RZ|)ey2kNRAMRlxFbdHwZ&zj~+>D zKW4wjTmQBE;pR?0r;|6r=_zYv6eNPzNP>cBk3ZBI)AETkP3n9+#of>lUfpD3MLF)# zwN++iI?D|UQo7l`Icxr%N^=iyH=F!f*kNMYN_;NwXE*-&^2v*5|EJmfUGs+@e*Tx5 zswf1}0N%A5VYIBF;4P!ecmsR>Ay-YNkAJ~R%93%xYR|cJ#|1);+kY%`S znK}~(<=ibdUvBYNwXR`77uf^^8>vMU0(H2;3j;7tiX{#ZAJpC zVP+%2%%tK}X)AVHQVb`w!V?Ltu;7E?(NM9FJ<&-7X^%182n2>^2_TTT+dGi`p3Y%) z`1atvcn{0&U-u}@9l@9wKoJnJ3NYmRUf>0%tdtJ?39(aMkp4*N5GAmfprFt37%!{O zSOo{DH|RovnmYmdXydNr&qYmM?zav@nGmF03_B(|%5FH+ zF}imsDI@QC!eAdBUWR^hJ5zUy1n$t|#d%D}nGzGcOsy!q`m?_Zj=$u5k^TF)P7^MQmiY z2;tgp(y}RFk)$GmDB$H6Y(h#b;z~G}>mUT~xMbQ^($rP#)>Sy-rI1pe3bYemY`#WD z5Mwyq?MA7(1WH}6BbPE)5gYH`}qU>8SRFbzzMcitf0e0GjRj%hS-nw_N{zlkrtd=J= zSr5@7Sn%%P=2L)}Sl7M#+5L*+ncu4D9-ey8AL5j$+m*|WOuXVeUc-4@ON63+9#4+K zS#xu9<6cRhl2>n;Sq)e%Txz`DaK*cNSBof^pL2q$y6B@>+7k+8KCcl>LsJB|na zX;mJVEOBfD8WCDv7?vOgNOz`4Gyf3Utn7 zYZmI_T^NI9PHN4Iep86o1-f4vF|1mlT7U&5EtTQ}f%sjiQ*mi|0Xp}$25KTMMOa=%JAQubu1mrEL-%B!E z1c#92Wu+4?D&UZiQgIXHtEJ;_h(0VVCL`gLIIiK@!ceQ8ub)hI1yc7`EoSNK4ggq^ zZ`z~eIekU}{kgEGUT!KGws%YqjH#e#Kx)h}-DUM>Ot}GBwnkuO35?3jBwcFCg1WfY z3TlmfTnKs5zj<>_zbU$=*M4O51QD^D4YQTCBKs*^rkfO)Xv1m#{Ig>HVL+@2{d^vc zx-te@sy=3DV$fyfkbHO6glUh0KCeh-#Q4qma3&fSbvp5`e|+|bWAnz(W}BDWEICJL z4e1_dKP?axMs)MAxw+B0*W9?LTWuAWZ!))XuEO^KrWIbeih92XuB5X&Ac+c7JhZZQo^FREGirQ0 zJ;9w4HT+N!t_5FL%BiH#iyriz!~&88AKgN^HK%bP)3ZsFqg)b5^b%c#c>l@}aOI;dA+WhY<^8 z9`-7B3xfy>dj`4}NMj2xShnb;>V?dGme40#sJem zKg&Eyo@CZqd++mc@2wI=OR^Ii=#K5;z2~0KefG!NYtM06;fBuKm=%&^)h7|o5hWFB ze*(0Mnx$~?qOj>Z=%pXbJ}-$yw@%dpR5#6nN-S;V?#oZfLalX;g zmDxJpJF9zuq?b;mY8UVk-KoH_FyKSCY)z@=IeOLdRZ3W)QYo#`)HFegijKceP0ZM_ zlPU%muVp^{s*Al#UF^*vk0yomQiZ5}K$?me)b4kp3cL@vFLR!LVam;$gi9Bxwy7aM zUXxkog!nZoQBkq1y3Vh!U4MrJVg0jS=gpN!KM8Ko@C7#m4my7NU>ZjzP9m(~8@U=_Hc6MvZcOc)Nl(g+DJo`&{F2c5t7Q7at6d@Q&@ z$Vl3?wnfS_nj`#|+4)h|%p46J43G?IJiW7Z`-?mL-|fw(|8e*67f(0uY(HJUdh6*Q zx9&gP{$lg$^&7Cj^OKLx_*~KA))$-jzpHCcAAWi7Ki99VU0>cHz7`+8c59>ixz)`z zM$*|}HHJ4o(VPwUtNXD{L5}Q*B8g93MkIhazQQ~rk^Sun_C)|Ia~OAR<(xQ3-(Vt> zdxmhz#^9Pcg*rati5_$siuHTHz!x;#XpaR*qfUwvg>%Oo(TNN{AKDRNlbEjLJL>no z+~51{Z~8b@q)kQ&I;;@>_kBqZ{@a$))p?PMoQdDVJ6EbV6!5bL<0F>Kl7Ml>#SHN$ zZ)L=m{45t!3Q{mjk56Of2g6YbiDU`K^jYpr5iKK-&Tv(YF&3G9fWIhtf-Qm52}$Vg z@O*yDq zBnKh#@fBw=&uDchCwkIpo{3I!JvgFzx4fp@y)@jjc@vE z-}o!v^z9w|cf9n2hdi6(zNm^F&c!0p&{6_^-#bKhdC4Bgctd1wL#z-Ll8|UWa+TUT z$kKRhwd=$#RPYp8ytx&^?ND(F=2!|Tqh(>>0tr_O1c|siA`CO>eX$AE=)2RbGx z_Yg2yKn{>LR$v30^=FCN15$*~AEoEHb30*ys4_tR*3q0)TmWg;(C|QpQ}Lh^43c(w zaB{#A^=>gqkgq|S#D}cZ=@`lMNP_VU^ZS3;H2TsW_}t#~3XKF)Q}EiL=Lm8p7qO6R z5W|;&H_UNy#bE=2-9W^XPDWX?QPG)0;9YXE^^escz%5|C-?^;n%$!8hgQ7Tp9NMFn;*?KQj_RpX$DM@}unbErRrg+QXA*eN~P zaf*F^h&uo(2|lZ=<~`9eOVzP#%frdMMgQ31r+YXfMs(7$CB-cSgFuYRu0N2d+4Cwr zzks_hN`>tKx74a&Da$6bx=!IFCNx+%i5=r-4Ee zf;MOKLA=|3yJ;!=<=Gci1{}`FU&FkHnT)h7>9>)#+GTC2KY9^5hi+nPY=?5riblMK znbn_rF^VH1CGZJ|FWI04#@qN$L0<>a14Tm6Lv_V^L2)Yh5#!4pgm2|K#HZ=ymNgic z7kf%_Jm!(8>wcSo0*~=-TNBnt)N>;0fbFnkXfW){kaU=wI%DpiE8*AV6x( zkN(K7ab1wp$}1tA=U1`*XkTg%XXM88IRY322?f z&0n<8d&2GdZD-YwY`Z0K+LCE;0!?O#X-L{E`3N~ujFHm9(4)`6rU;unI!g&gJrBtX zA}hE|SSmiH;z{WgfphP3&|{!6NQKzAOn1WUA}=XrSg94qBb!y`XBC2=$cn*fHTaTs z59hUG?zA$JazJ}|3cPjGmd9I`#Ii(p2w1SjW1Un!!UX$VU{;C*u$hK7X z1{^D{iSRQ0 z-0tiTHqzF;yZr2{DUfgV+RNgwt_mcV{bQwt?imcWBqF{ksz@N`a5CvVaT*&asJ4!} znBLwCyfLiJ+@X5ZpYM*w<^%S785lv_%TM!PRmN`Bm0a%_KOFD-LasmhZm;9^ZT#LZ z8a>=Al>-zX|m+nK}5TK_IxrcTR;fWxu6jc|kJZR29lgy|j zgf0`vFl6iE#D<2_ab@lhX34@-?3q%>?bRfEAlJmlo6_C7KXw*B-s724?(@i&&xBpC z-JeQMp!U7Uk#b*yT@89`!Q03%bK`90N#*sdnJQEkimF=%S|F=6^ zk3SuF6~D!kkG~zf{vLUZP8>9LPv??TX zvNHh4KY{(09a;|3H}|93fa8u{E_bpe|I{Pf#agPgE3{Xjx=hUiFkE_vHqvx#sF=E}HMd?>{XgeE~{!)`XY*zg~$EQ-7aj(`;SsRR~+ zLABiLXicfm9!3kxQF4=>suE2`bIiI2E5#?WHNZ}*jV6{RjfcFwhxoUaIpYqRI)B|< zOn}cPQ>eNBn&yN#r+PaGR={-L;Vof-m7UjQ(8Ir{9kOF%f{a&T($;2b`FTvXa1YqN zNOw*BHFSFE$6%;7zENgWYKZ}jqXsE*YS>L>#XW*V-`hyfAuEF{7s}zlhQooO zfoT3s)(H?N8n?6v+NvhJrL{<>ffadNX!+f7rbDS5Ubk8Z{> z-X&4WqYi(cyN;7H4?p8F;HFB0z3}mcD3QUF%G63mypAUaFjc8hd}UMt@j~MBB>Nsj zxM#-X3?A6c43?`XpYX3D$jE{er9t)>vLUx*UVC&)mLjDx(`T5>l&6V4s)`xEabfv5 z@wu%>x8YNT@^IM0-N4M!qK2MXzals8Own@H1y>PfOuBM$-6YSqFNo`j^s3mF_X>^t zh>xrCcj0$P)Z|csuvTRrB%KSD)?6p%Uy-xPiP*xbA(`K!Q{XVu`j>3yYixgmdUK%Dppn~-b zvim!m5kQY1vk`4U@vhYMA1-~AVYVLeFD439WK-uKE3{;!$<+VvZFbo11$8zEKFRyC?Nu|wg*~DP&xI2nz-(&8^uCrbrQTp@i(*TD5DGa zndD=-nnB-1Qyl^eWlcE31>`zQ;Z>1dEQYa=wrPw(AJmQ;;_htKsqHXWy#5I3M!Srb z0#a2xX)ePYtDx!~o-EW%IXOUJk+N~73hfAib1I!bAk4>X4ipswHTj%^G+6{WTG^Oz zaJWGN=_}e+oU;QuKKK@suf($C;>D3NCCzP;wLB8M=Um$(HW+zNoRP{yL$j*tYTwtB689jftXxF%Q0E0yj1V~tE>Fz&ilevugL#*j zU7dUkTWQI5C^lq)bC+1s=K#-0gjHEp==5`{SLtDu zYoV!wL`h!IQ2edKHj{Mtv{}O-UJLi9tzG!cR?e|1tfVJFs}Ub<_f(uzAkplq;dn=g zlPU(Tz%-*E)G|r-*9zS9?5*aP6gh!{7`&W@01#5dluJJXVUNqIxYGL*X|q&tkgDZ# zQFmHomaAyKctr1W%%)?rBFjWIEVc94?}+q9vIAAX2ro4^Oq8Zhktr!w$;O6a?(qkU z+0zqxg0p-Aw+`-;EEajW;0iMed8-+)VjsG-?;191Zg@3=@&HsH7T67#CRH)<8W}Op zq~b2|I7UV8+hENiR1Sub0WK?4XkF{%HW|2tU5Glc+})_ep%#*sYgI>a+(q@mN#3{) zPvNOd4zJfL2CgQza1=AK@{jO3F6-LO-ujKfCzZ3)nSXuCqJK;KMxRygU+&bI+ z-W4I7=v6UxJkK)P_W7{=2vG>>lFXDnB-a)2@ zIlTyyiZbj?(=)>((rZi_Qn2mI1CwN3H*U=vOqj~g|XMPkZ`R9lem890RtsN5Ks9b zG{FYbq^UJb$r+<~j1=h!;5iSVdoCxr@4XJ()$?!GD5n17_3P`8F}PeERgaU1xa?cep^l1AS} z3?4Z1z>76qxp&xqkF#`#YCfS9!9zH|O6N1JV0y&EW<tuItIyBbvDa_Y&z0Wi@?cd#fBQN-_4v!MavG}3oh2Ta;Bsr=dOP_>YfgUvBm z#fLX5^q;5h`lN)48yzPCr&Jz-7jEzle=*pYaXT}mp}&P!hnO2>0y5-c2rZC&3{YwG zk@SC#_)Q4rOk~Opr??WPd=Q@4BZ=way3D9#=F{z-8D`LmL3tFF#}LMo?GrsaZJhn9 zm^FCNSi#?6z0vkpSI znfdSuc?C{mIKP0%D4P+^C@?64blXrW?SIL)1Isy#neFd)-Uwz4S1=oV_Apv7X`ILm96I8tmTeWw* z_GtMhZ~v5TGUEVr#g1;bnO6R!W{Mey$=M0Em0S^hF*yuT!xtf2=peiMNc3EHG8<7w z+*;8cj0t?I6Q(2JM%hRvMajhusi=w3UJ&g+P-da<<~S2UHbSSi0=4#||C`p+WD(ij!eR4*y^>cGZ6% z+(W!9rOxg;{&SwXt~NgV(C(e>I)_9~F&x_mwBHQyBl3UzE4}SAU)(R@Kup;WC+Pj{ z4K(d%!06@b?(YNOzYHOyyE$pL!1QJ7z4f3WxMhH3|L(97j$>pwf&O8rL7Wz%Zffj} zAw0xci|KC0BerTmPhjfhSVd9=u6H-CR6o0-#fqJVQ#~QB=YU7Ags6CX%&&c8NLg-( zDnpu6Qq+M>rS^{Uzd8p0Zj0Uoe5ria;bCaNjCiLV5Q4c%iVMs=@M`UCe zf#`U=y2+E-=s}z=zoF{%d3UMZR_wIgtkauL^Qqf_zQ-d>{YY&Di4sG{;+s)R%_MU<1}LR&Qeq@_O`F;%0Wn!P-*hyYSnmh zptomrm_qAxs0s?09c2P8a0Cx-uKo3NXG69yNaaRlYnE4`aROCw|h12tPI87%M1*&+myq*UN9;6w# z#T>wpr6>}Fao_>fh+MX3}8uXo*on{VD$!LD-gaVybQssmj2Z|1l-pu zz}Qt6>D#YRCX9fW@qqg;sAZ13wE#I#d6t|N!kqHLimeKk&4!WO(_Or|2C~-G3O?rFn#B}S#4PbVq3{YG zTN$YTn}FN6D1STyjYF^lDz@MF&k8PK=6kVNxU2;GG)`cvVbjIHx&y{%*!Xe zEXeeL#*DP`Zu&lkWBP~2@4(HHkHUdGSnp?s8_DoI&LFqIz;jmT=VPx?Pd33>*0)%B z?%19u#Cvle(HMUHQtW`2d7Lj6eO(f*LNFpD32x*)zu|6`q>O0fK>W6tc7hNXS+K+? zri8d26Y-M)jL5XyIbL2FLNLzoWdAt$t3gQPtC#+t(=ikHK8d)7f8<4hOrrg!y}fPk z2KNidC6{bSX+FR%=tkIUtDUerYO^CwxDv`$k7m5W^+A&>HTIoV)#XiSKpAXuq;_39b`3ze_l@4SooVwQS)I zKIT<@Pw$r`vVRjripx*id6A3mAywg3>oM;J_=GVG$QZm3w014b5zG?|gD~QvP+4dq zlnZ~NP`M>YZA*b)Dt<->iN?9b1jy$!{;eqiW8T7LSh<@|VKR;TL&0{{RISVNYaha> z=9PHkQ!Nw=*Lkud0Cr5H4qOU7SiIoy(M=j1;~rM*h<)vaVaa9HPZ`ya5=1{*Ir8yF z0&t-`KW=V06K;~KyRUT07OfeoGUq-?3R<9~Ib~$Cnl2sRFh>QJLW`Xj*r!1PyG?de zCddgOmEOjkCB54^8d{^ATb28v5BE5&=i=;vN|u5LtsnpOAF4kI0{a9j*pk{ODfhXD8yZ+dDv(lL#H7QvXV-xmPG-uf+?w6aAVMt zcP0s7#GMi``7<+}kVG6n-{b@~YKW5$IA z5LFz^yq;X5sxACZn*Eo2eoVO6*g`JgtHHZQb^cBoU-fgM5JD)|v$x~AJ=_+BB)fx_ z^$_EdV4*y9qw3~{p!owgN2nVdiG`FaFzlxgOK+1?(I)bfI;n9&3{{8U$p5vrJGC+b zJ-|(52f};^hOu+XrrPBSg>^Xq_n3@UkY&>I7rdy-dB57^E29lHQ(8yGFo(k5!6;0~ z{#F7Nk+l;i>mmjZcodR>Fs#i@0*b-P952!=)#{}Md4^b{-f_i))~AMX2YeF6Gm-z$ z#Ki>XGVfQxl)UBD_)s^9EegLXuqf2iw@6ff>c7VO&&?n9@eBO;8Z7<(wEe;ia!$Y> z#i%U3y!L&ok0iXJ7@gw4WIeS8mE4t|?=*H;Tcxd(CT?sx*(n5`*k9`*NE1DeKAh0n zQLkC|Q5YsjCe7V-sI8*lQ5U48Y7vKjss7i~H&JlR`);l-19sjQ;6{N_uq0n^U=A-Zmc#ygHDicc zQV#?rX}ZbT4mG59n3IwI9}y~Sn8%pH#FkcLTvecM{F&0W!WX6gpt z+r0HTHU>cO$4={ogkbqJbM@%>dJBQS2#YJm(}0Hg~!tYz?I$Yi}xDap}zZN8z#ms-9$f6I?LwO8;8X7wcGPfY{y zSrzzT`XAmIEXYdei315%6}PQm26%-|P;klDgKN0(^)E*Q0~fW80TchLjC)*7 zDWqpY+!fqoj|QO$15@y9Elu#2H3E&-L3H=tr!F3ofz!(Ct{Z;j|so4RMC3+~CsdUTIS zJ4Zdk=Zd}gT)9bu*PF1@4*I+&69t%wo|%T&=2*CH_wxGC^<5zOv0 z@0~3is9?%TJc5uK0I^bPkTM2%lm9+Pi*Mp!tuco9vWi*CS9K=PC7ukwx`@dUrO#-B zXq*qZi6tpyiHRqrUHTfqD^*MG81l2>Qqk_2 z?WG4eFr$r?O}l8KuHP9m!oG{Fn-D9q$rdcZ2GY6Q$>WC3E5r?L=6obQ_{8UG4b>wS(Qz9yIZ}asxustaR6^%z?FbJiKii*=IKg+U=h?N4E zxqhMgH!H#n=s%;Zgt196^uTc2n;Es!p43mboi*?;^ThAOZ~K=3#1Wp5 z|F5r8RFn~c@2AMEHyXmBz@-*ApUkiN!*8jce^WB81z0Ze6RM0Ef~~?{TcK~>NZpF9P)EhfBY)X-))&{np%N0YpdHx^Cl?gH#shHaE zY_kI_afu~Ig$I+OkDbQBPDM!5?5NXeL5-3^PUDW^%i!#59#Z5G=OD@qD+76=u5|?+ zLwJ)`nl5`My4aKdSbkKL)V2!oY_m$t*D2&SRZL4Z`}k6>!YsNmj=B=pwNW$CN-Y(K zV78f17VY}=^?%v_W>bM+ivIj%%Hb?USTta3EQ6g>*pc&LCb5?1~v%*jDyDk+y+s)U@0p^Bc9m z06(Wp6~C^41Fwiu8HiDlx=vn!^)dJE879r`=nvxM_uh&ILt{XVq;dAQ@n?=yTZ~YQ z%mS~W#W{>54Ksq{fOx!$86v-S!diyeJ$lY333yw<{yccxSF&V8fjl5^$KgZ zSxW_^A0lq55r6aU8S$0~EGSQ4_jxaSJJ7z8;3_*Sgj^+vSXX81u^t>p^%><_P3>B2 z%b#grPn@D%7nVX&{K5C+HIWmfdv4;2vfF6BX=g?q;Z0!c^Y^=p&5zjqO*%ar;_6G~ z9}=KkVHkHGLzjLqmu3N;V?^y%u&9I@a<~&KzN`V{{5#R0oei4{I+Ypb3hti7xxy6@ znpqoN6D5l-fe|M$W5}6y*L55WxS4mnL@KQtgdMmFT}$=d?v^2UwO4D11L&=d2&Tj8 z1nh?|u6z{-=YeuXx8b)+ck?D=r!!oeUbRIUMtPFW z!_E)cVvURi6`*=OSIT1ovl}yyvWC4qtY#7{Yt9mq?|HqxJ$1isR71^7!8M4=0?TH$H}yH0|AcvluE|BU5WkB_Ak@o4)UUBY#ne9oei7QNqSW=LYGT*~FOo7)tt^R(c1rmUP1 zoZxgX)cFWaKQyq}sJU?aukL3=N1`5=Lx5M0#TSCy5G(B~y7>(BoU#5% z>Gv(l+Q?v4MOKg1{h<>(sZ*dS>EfO=?gylPT#S(awehTCFHcZj*ykmL_c=}&uA9ud zqbPt4izl7bJcBVYr`G|pk@b#j137J14Q=Tb8~3d_-(4-4Z3`V;`UJ5w1;=``PM52S54>wv{y04F-1 zgO1P&bMC5&W(j}t4%wX^0CPtJfof>I6d1a!(*a(jwtBv|K^W-Qut)WahLS=GoPNm` zBwCT>$xIP|)^(9E3yQ^zZp!+Zz5ph^Qf#6OjA;UqAF29YETh2-I< ziJxaub1w(;i|Bkfh<|)EWF z7e@h}N_Dp#W?5I(RV_vKnneX;WEd^x7je$#d*AJ`7x+0T9vB<4 zUk$Hsj0t=-3Nq(^5erX zS$9R`Ui|?-d}o^M91QJTx^;KEuMsF#o3>nerh=4_sWtM6&%%no90);+)8-i6(yrgn zz(p7CWpKrZms)hk;U16CoRL2F_29-Kc%CAdHH)syZGV})pL7yQqGN%i89F`adA`K? z_P*Sa_TTcW=``Kt#N3~sPR{)(J9&Q{a9Lfv2xPgASm?-aEc``c0K_4BXK0`%swzHS@1MMAk0tpW z&zv{|X({09imi~W)$tk0h3v*D*nN2^=uS@tRMlR65wLZ5UqVtlYD2r)vf>t)F^~2U z7Ntzqy}O2%%=4!CnbRm3=FFQ;=;ruofY4e8u1p@Qn>r{qL~d2W61c|n;S1G9Ssf8s zmhBkw0Sn<%&J<`td}aJe;U;nqx?W$k*^bm^gWG)y6vuG7&R2P7y?g~qI^Gn%Z03}b z5Yip~gwvSZNxKMsGX#|4d(BkZpQ8l-ORkgbtbv|bEG=CgK$O2#qXhF{v~K%I(N8?g-NYvgwmL8f zyN>VN$K<%Pk`-2=HDKcp=3MqZ?})3UH!3Aj&H4w0QAq5=gAAu$AB?cay;L+#qxZF7 z*ocW^iq3|Sl$Z&(fYd~$H5F5bpagp*5~psitb>F;nKLqUe^XVfR1wp}4H_L%;~n z=gF|8Po;ZyC|G5Q$97Mx1;^I0-2=L^ka?;`X`s4-v(p0tV)p^t8F=|BHy}Y}+p;~| zEqqC1sS-sf5i}bPAdra?y%OIUmk)1gxIz6o*m&J>p?}`^hd*~Tc)yv`&rr7b%ULGt zhh<_qwV^>QQ^*5p#REilr;rJ4n8vl$u&3p%r;&^Xb-g8lv&!=Nb(wUir2%v2`e`&F z4YFSid95U9WKfCc2ejIi1s-HyNaTUVo1oXKAOHa)pKra}|8xoa+x>VU{q+tKhH-{_dBj;bJ<YMrWXKh2D6J3Ha@i2YsdF4@%-1s{IXjO)Xi;CeEk8H$Gt&{G z)tT@h;S`$b9=uwnIYNppY*x8&x#$SSWf&w%k)==y#+#RfO}f_DMDn76&35N@Ci;F> zc8y1R+Bt&C9so-=70Jv7Qit#cE1i6q2}9_}0zhS!uE!B86=OL}k{N5qzqrL~GO(eL zfr})$-i4u&L7|shPR6TJ)2n-_|1@vn*{NpAt5Hkp1TZHIVh^;=pKI+Mig8JV3Gvp! zx3~jt4w4LdQn8mK5XpAm(eVhmf}~VZ2GJg-oKJ2@Zfb4t;<{N`yN_vTso|X8_`5UH z=Bt#B;uUJ$9-8C_LwhURUr6rRcP-oSJq*ctwoLBIcxFR z+lz-GJDc5W-~4fBPR7o@E*E?le#y~&XB&L#GHQs_4!V}`c8a@^R9QJjqg}~Q3yf43 zOld(d2xsDvo}{D4vtCU3i^>Wp_!Dh{7KdZ=LZ9hy6SagJj2pO9k!Ev(sA1w;zw>&b}N5bnT zi7pwyzto1-Tg-1iLRKjMw9oq2`x$?9sdn(B4Ix-#ywFCLUGF)=>1yrow(fP1@+t<= zAeY&Zu@u~(;sQ&d%^(0TZLREh-ZlVa zbJsFSph|32Zkbj`#@~Qvj@qkC^emiZnt`oM#>pob3xHQrnP~?hNd+i}P~m{Xm^bB> zx!K)piHF;HC}o$np8J2k^l>wWuO0#f#({IL0mo?QLFg&fx zj{Vu<8{GW|43{CVFU(JmK+AP8>u8_nv5z8XayjCS!}0lQ=QcQ%Mo6~%^^QYz_jEF+ zFH&-OQX}uOMR%eFr~glhyQq}tDi)o=&Ai>KnlU}LJP0)IMemvImMw*G=m_)Xpa>ye zVvicH)yEk*6St@Jy-FLDv2SfKTz)*o+b`986u#P7U&hrC9;ZfkyT|QGiyHg^xNO3o&2!X>BKeiA z735hQ`t{#uhpyL>U5qK)-#LkB`>sWn)s(>N&d72=6D7}(W#~n7H>XSX3?7Y47D-3^Q~PJRC8i;4)vvhBvWgMG3)bMwn2iuyRhQyr!lbkJWTQCy!s#b6_ALt zdFcx0K>?$`ULBg`(|Afg%sI!Y8@?7g*s!)zMP6dMhfQRZMzBa2P@fr`Za$h8xYQX{ z+M|TLE}O#VSp?2}w59VOhnSUykUC`BImfXIq64_(^2#+o*2KE%O}$ooM&u?-ZMpX z%`S0L{CYx;S98sIVfh|+Q)dO#^7_~31uS3!%o%&cL$`Vgzc(!EY&GfS9*P@e@kU;O z;f%9^81uefI8FuC3%v0!e4~E&Lf;CW`GT^6INwa-pEOgr%|ks;0=}TX6L|@soOTF; z-H$w0%{dMkj)pxy{0`y6bqaBAiI0 zoIze5rginVfIPW?0NnpxAU5Ski^ywx*h+e&PZ#kK-(gw437;l*r3{hEu?P(9aXDg! zHb8`g%!k(V>}}YjB3JI{8YeKv!6k9P=i>m1bzcppvH?*TXh_gCySgtb-p;Pe6E7eN zRJh}GdgY7yA7`(S11R^UUCOa={;z!5Z-Iz)Ob3jJv?8kN>H~@7gOsEg_SCJekl~Jv zdGI!fZqd)HtDmywppDe6oZM31WZO@^+&@euK8oK{Ei?Wdoo>Fis@ZO?dF66#Ff$B_ z3~o{DQ!+apScRhA2`qDchGDg=MVo(DG;G8vcz8MM;|Q%Aw66i1$IhXvV2oX`5|kNB%A*HNMhGQ5T!l!d zk&!6vanR+u?<}Fgo-gz8ciVj1Wzy?x*JD$A`{aTJc;;YNa_wmbPqFv<5wZAx3W@H@ zWJl9;(zL~DC5L{ft7!jO)%)!-#hYhZ00&oE`hMi^n`d9$8XFjj|I0^Kg0^Bu6b8W7 z30&fT;A%a_b5z$NNKL?6GM0^seiDIf?8*x4P^)?AD@zip_tOgKmq zoH%)PZnA4L&$h~eb4hoz<^F0Q1Q(|$V@zaKgwJN!r3i+4!LV)&OQWj*`Gz`&il z>#&Rw-PAuMVk;=8q}I|D=*)z%X!yYcdbmT<)&ZJBJ&%J-iRO1>p)G~-iKu!8g@QaX zA5IF8GzmxYtW3vcmimvSVLEQsP_?8$_Lm#mgn_LHtuL5{=g7`=h;B^{d6EIegv%UF2*nch=LD zJiq+2$+2fqP|xb-T;>f=A-@&|x&1;~)7@1mD>sZm&Y@ikx1!ics2R?ACkpbSN9CFzHi3!^%MoM7qh`i^D#D1!I8CJ8u-`PNP>tv<%is>jaM34aB$zl%Y z84uvdoZl;K0zKRYs`Yrmur({M0oGLRe;&{p-Rvo)SXT>;+|g&=?E(GSRUO~F#tdbW zC-yg-Hvy^*Fo$qjXClfHTG;?wsNGz)gW6&h6g8lLMY68jhLRgR0u|Q0nR}BNC0US= z2uO=kJM-?{tTHV}^k~2pSh-e-)u<{i_+Y1e`%4ptJ~bWm>nny8eQet6haXBi`yWgU z#b8ZWX}>eU^?DL|O(<_AXiGH*T49v{RGlzaf^(WK%y%x+;wAhp4V{CZ-9~`~Jdzn+ z!BgQNmmPmXupCTG#Px<(rNQ9FBJnPj(A)_t*$=365%h@2r+Au>x>ASkFy9?BnU&DV zolZ@Umqii0c{kgze%YVDn+q*5Tc|gVZ%9>L9f;Gt=*WPPnIv-LWa6rjz&Q7w?gcKD^%mNlJOq?W8 znQCrjdYq~~*b59%sRf2)sav@3U|I6>wSN>+odJrdtA-m+H)WKVh}JnJp|q-j1J4h= zt=|%EGu^w4wBZy(KMLG+n4Mkf{C8y*E#b_h+8mnz+Y4LyV-%E&|4Ib}Lr4zf&W@6l zIP^w;fFqU*{<~J*>e!KOJGHIh28eb*~M%8W1QVwl_eYTrSq z|DGF{0en=-R0C1OjZJwngAN>>F9O|ke}DAGK>UHy2_xE?pD^>1{Ie--IaPILxB1fBv zZ)8aWA+~Z+s0Nojsl*9V z?P7fyh1o;&hr{wQ9;;6V5BaGc3ytcehoab_ya&~YW7jPUBr?vZFUtsDBTt>p1UP`C zY&#gN$QzJzzJ52lvi`Bh(R%0`{0;#+C&Kv)G=QpD#=fm>7GOWd~Wwr$%S|6AusVNp$W?bMs z8Cya#Bvu0#Re>mt9oi2rfVE*5dC;J%QoV)s2|gb2bCZnH58pSJ%%Dvb{p%&*PefhM zVL*^PFU8K4N7f3%vIwR}KWTCkt{PIIB{GExPa!Ie?^2~!0T-lj=$=P`aF+RHj~53U z_X93Z(*Ux4aT>xWL4B%y+%9iZB-(4Be*_p7D@a8gfmf>Juzg`Y&G=RCNGDnHXK{?1 zE8$I6|2OSx=mD4@W}HD_Pg&VB9>WaS<54B%8SoFvVUyP?->=Xz6E+k~)UWAWoe*LJ zS|J(8IG%lutD+SVWPQ|Bg(7PUJFLY}NOHOxuNXx_BGQ}prg@UEYHS_O`1}ZIIkO^qb#vr19&xJXvh(LqdgBo1xSVRE0=? zjOrBBY7}L8`^t6Qg6h$Tb%8H{ywZ&F^)CAFAzQ%7B`jE3^rV_D(=lI%u?Ikcfm}6* zY~1?YiaDZ}$<0y-R`vzOaK{QtaD3ngAsfQUh!{fgAAZueH{FKmJ#Z`iIs1vPSTERe zQ0k`w{F4O_qV!^_s@O3e+m5=TPdt_+&dX5&_);82(7^gbR!sm#A0iU>-x%w-f$2b~ zM@w(N-;2ID7%@GIq(dX_LMV3^-xLUx76v?)P_>vFsFpFmfq5 zf4+Cf!DNTo0U;QteyBnA)&fD{|wd&GDzy38OX>M=#~ctnlnI)ZDwJV z7}Cjf9s{q6+78uy{n@>gBy1!UB|=dQ%h7Y*YLPDuk$9LP(xs~8Lb9{Ab&SprX*~cS zH*8UNlr!MJI39ap`BmMQB`Ml@xYDkkPBtBZkxE zU`>xhZ#36z&K~|6y&(Tihs-6*cVfeZg`t)gcVxWuAEs~=nKtqSUBlL1m)Pvj7QS7* zps6KAagN5YW_o;*JkD>tkml`H1A>|JA z9XVh))fvQLQjy|fSxBz;-0n^%6+u86$sn(UV$cw@R0`GJHRZ_JXd*>vE?58FPpQ=K zzhnG~f!GDZ!g2~$=1+GiaU96b&c)G)D!1v%6_}Ca3|IH$MdBH5Ut#dcM2U^WHkc%$ ze*;>TwxFQxESAD*i`YL336?{o^r{221FA=g|KbdXkwo#PK5QL%Co^x-Lmd;TqvjlA zbN8r+JP~&ajEMw;lMAQe3qF3oR(`DM^=gV$+HZD%A(i~ceuJ3s3tce>QV8kQAYS&p zhE#aaf4-3ipudF2TG#3b`{5y3)-hrTPoJxJeqWwo(`U@yy@;$@o`@~mRiDaDHiw3= zRsR-=Nqp^i7e}u~r9yHmWrE~2mU$to-$y(U3zjpXC4p1rQ;<6cqh_n-bE4o>BP){) z7^p2;KAp#nv;+iXoCm3&)PuDMSt06axMYtLU0XBVK)ekVS5=8z;z_Ve`hq}ZYtfw% z;?PUQEha?LWLGn{A62Rm&W;+XLH;rv+P?os(@N64R%^j+3CvtYkSfuCLpzZtf5!!; zvTy8+_zCws#@&)1;|-ko5$a>a+)mibZy#h$KqH*QZNN;>d0?0U?S-tIf1w z-qL)Fd$wQZ9h?>4L_$SmY_b=@6TC$fi;fHlst6q2`u@lnK|P*We~9$LNCi_c5l*k% zvm#q!9YeG!t335Mhp1j%e~$HaWc3PV-V_QR(CO;p%c099gV)ps_6dH-={~%OfV@x)Z^go-|=36_N3%z+>q?%Xa<*4Jttns>4x3* z0cN}aN2~~JB(!eg=tG+Wyu8vz#17V0dd2)LvV zoU({26;@7;-YW&0l|5zVXcH5gjN(YI#rZ>OC(oap|GLgz42o6=M#*B|1Hy~pgU5#y z;caYsR8nYG00sl78-t|rI~U65NY{2aKpn^PM0|yyES5km>rGoMz`KU#6v6MUv5|pq1uXJ7e?+7&g;paRaQ34FDyHVmd ztV@_QNBmt z-)%N>_JhswLw?H;p-L|+Iv0Abk1m#^Wb-D;^-znBGYfLBAZ;& zfO(bPTlB}UWR<;_&}(FBS>{u)CRHhtVh5JnD7OuVN=pP?tEQLPT^jSe;%r|!6>1g6 z2|h2XW=7g*>Rsn6ZH^+MJ#fM4C7RU@4~@CGz{vm_@G)cM0(Lmx(Px+uw>uKJk`U(4 zl%+b+Kd3wXR-vVBC;^{s$PWF5mI6^prUs4tl$YT1*9>6FADqfj@^@yA6d`C|<6dI- z>s7E}e@l9u2VLQnzBk)n(zpOa@4%2@)NM8=(9h%OQhJq~1aE5xZLu=;kVj=Y)x@el zq6sa}q|@~ZtuDr!v>NOQ-nj{Sc$t7bq1_&odnnb8!VpHu07Bv<_OF*-P^+>&EFzjg zr(U0QT8;+_6vl2!L!)f2r8#RGg&in2%Sb+BC71!jVd5j{HS7d0jK;o5TY48f3(__5 zU9s&ae(SIV+@Am%p`hX=zKN|!4UjXtWuLu+HcX(XcPJP3gwlm;;|^-LER^sFktKQ2 zTKz@`!tDM}rmVlWOg}N{<@X`&>4pWK>8CO*SgVnIeXucB-U(;(H#Plf2WnfC--DV` zy%yt%p76`mAga&AI%L5-Qpv?J$<*0a(QzoLv4+G0i5*lEo57o746DdURo)R=gJn7W zdNf)q68?ju+-+CEG%z~ap$TZuFBMDClBf_%#C(!|nOQtKCKe9SIB1TwDI_~ZAZbq2{-;~<$wpy5 zy%0u@r7XcO^_d?Maa!v2xH+G9Z?b5VfB&p}+SN39)<$v^5(D#q_ zDx#QlWy_W>EbDEy2-MJe(tK<4M2X)fS$i{N;}9<7bz&VXKws>(@LPQOz%T10Py$e++sa=Z2He|8s8MBUu5!LeAfTuKZ~!C#03ZVNjui8Eg8%@D|Lwy4 zx8h;L;OydQW9m%rVQaIkK4rJXiMoT4;g8s^{#1Xo8CF6ZM<*NDnr#xWv50JnQYaZ% z#Nq_;{i=6iI3bl&WjBxhJn9n>e#-ALj?-Q3WX6lAsWc#Rq_Z(j$csdEyoLDfjFHV^ zk^=pR$}%7o0be3|Th#Xtw3M6Csf$Du3otN+c%4Fxo~BC9lXUnXjT-VF&B!DU&Eq3mHNoOlhi>nNm4KkV+3na4r zf4Cy2(j`{fEql56&&z}*u^1JzD_DElIP-s)6PMG~?Lnz{(D8I4u3pnFidOXpVbZyz zqri*1LdtPa_0q%$K6RppfC{&PgS_ZpkH6)FgV*Yc3V!VPjKN3{nu-aK~+8q$|N`|H?N0hG)hLzh~D&6j=o2@7Vy_i=VPIFtXLPHG?u!8Up`h z2T}$cDT_W}n#H#Ix>FKfbLJ$Ea%X&;tZ7Fg#9hYgD?p1Y;|*WWFq+VqUyoVCHF4#h z8C$|pUJ}L?x|_8om@Wq-vjQCuezPuHS{4 z+_7Es4$2vN2~4sB*g)~k_;%eyB`(P(Pj$H8q3FN;qWY^|FE}WBgVYI5`y~fY7X|x> zw@Cfz<@`;t0~orJU6VR~=8CqDE$Qe8$w5ZA7pjXNFhBV4ivDzx8-b){^O;6Hm^VW+ zE>)=uXcL&1US?}y#CHWimXQv5m)*oA6J2Z(NJ+nXe%F$xekcrHLj1(`ln{OR_xSMW z*BGzmY)oaI%SG7FejiUh^<*Dgq0QN@^}aJ#iPIxA+&#DsA;wybISFU zO?<+LIS*3a7R|r=aYEmO-@u4lC|^iw_|oC|g8l!}d@!Pu4)v>eqFC(l*3Vb%^=%t1`1PZT!0DjaaJ-0Ya%(C57ve^7x@5sPtD zg`rrGuDAbM_r3+Rz``B{vTS6DA*HF8Qq)zzfI=#H%#{ljgtEqop4@1jY`m5B8UppN ziJ!7UH3I;U>E%)?ovSMZV$}#TwfD^j-&0dUI&3&zFN;D8p%esl&0(oekn@X>DWit+$jO=Ame(S>nG4$P zWlPHPD2uCQ$9hhAK2E~3@#E)$&6km09v5dDljEa@t;?&zij9sDk%mQ*&0fFu_Re#J z6?^O5yu`#{$G@Cz&RefKI|mDd6`MrJ5Vw zpPw9WuAWMjNX|=n9iEvVi(L0dMyjRm7%kDJdcv-L{jh#>^HOtdv~%)mdHMUM+9`f& zWE1S{gmrm&zmt}Bp@cbd*Xz9U;@81=_vps*m2&0H`D!5dpuS`3g5{h?o!7-Gx6$>< z_5NtwtNqs2&cL`u;U|%X9Tna1zr;EH=CU|Qq#{X%JfxJ zX%?g;fWEA=1J$>lS5^JjXR9THMvKiQ66c3Gb4QpZsn44w3%y!8p52rP=DF!zZU_%N zxz4C~xotOZptg8@u=l-x_(tM-`R1DRW?uiMbAK`7-R8~IdGn3i(Ulu5%@UcR)ObP8 zc%);*^}^)|ZR7R%@aAswtlW^7M4{)qh4aOd36%5JSY-@hI8LfQP-&9Ohd)ZtQ?orbn)IM53yOXND+!=ZE_H6IKxsr=-w{@fQ z(nzvNprgWZ;K@ZNOXIcm6?bpvB9}J4)K!CLTB*a*?ks+@+VjC(h6hV!&Fdwzd)ND> zTI4t98>6kFWemvOo8zAkY0hg(j^z!TZ+?i-yw$&<&1yQ>|6qT1wkvh^#@y?v@t&g3 z*{&AGcY96gU#Hc+Yu-|M#4Z)2qFM>b0$o6d2WPq|MQy-ttLW(%Oj56|vP8Qy)? z=yE~#f~ECH8oVk`=mZT`fTmu*?ZtCwvbi5r(aRw&^Ml6)9)b;py!GBOjAp5 z=->bfqSydL@1YN(PtixEZ`2nViCbtylY_Z|gN}B*JmdqCq>ZUpZ>D$~BGB_I9x4#@ zW?VO?$lG!wJnD5BrGCzGmecf2a8k-rs8T@$9LKiB9x_Os`p16OYW+xAJkIm1HJs96 zoJX_u1ul-@J)4K)>UrOv;Pz6tE^yN}KgVkRHPf5)DV{lTU-RkeHff%h`$LA$0w{7` z?r$!i;F8(Y{#TgY`^~CY&4)9gX0_J?-d$(Ht}AjK&EU7gMl=mw1m}1J6!hF61n(vh z0YyeJ2=UVpjhZY#7}#j zh_&6-K&@NJ07zQRKq6i_fHk9`d`5!5@A&Q@7ajS(Hgu7U|m12l%rkx@i#6@x_LQiH@h`LIcHref8a>|~+ z?C|c2ev(GtkEY0hf1je8{5?ug<~Ea7ru(;`ek^swe;1RRUmT8Q`y>AY_~ml8xdO<- zY^kSCv*c@LD;Y_kWz`3BLxSkTT-3pR4R6Zb|O`CeEy&unHbGpWc5) z8!}%Bqg||MP2iu`$~svqX5&Fp8^-mMX~i``Csm@UzfG5;!CK2dr6i0-hos8;vJ$Bz z7_%8;iaP5=a^|JtHz*%Xm}p{6myH)*%RQUXs*>VPUbhwGy)eWL8>C*K8N{<3I2uo! z`LsLH^49gO0g`$kd2{oPfp#?YUS=$Hi;in0zccJ$$DQPHiZH|8 z^;}u(nrK%<(a5Rg^!L8cVdKj*Jbcg9y!W?WNg=7#MS4yb*;MzN%_t3z+yASuh1WYB0zQN{vtkMMqI zBO>#0y_?Gpf&PsNA{nS|PvkSHlk{t4l+q>&y;4s($~EDw!r)7#sG%xi&k%G?=J-40 zsq!jw9TAc-jJ6o19~fUh7>;gBKq6zQPqE9jU2^*kho$kV7}I;Us8i_PDY0~A6ZvW_ zwBVIi#oqZWtiIJ&o@pS5M9}s|xk`olrP69WD`XXeF70*YaYShUg^%J)}7|3if>Zt2t1vCZhZj%{Doo zxjUv^`!Ffhe-%fQYFc;?u1Y9UsUA9P64%?@22gjuoah6YkI2HV1si~~m()eH1p z6Z+~&OyGxkv5Z;?MK##v$E0HxA~F$njq>oK8ZFeOb?K{E#+E7lcVhfGbz4P^^J<7a zKocS4NlKNSvFiCX&g$=OvdoG&T;Ysd>aeIsqoXO=uOsOs2eKpX+aXlKv?!Mp$!nd|E`a4Zq}$QTa^t z*v)~BZKI^Em>GtO+GM|}pNn&-&1f(>`Rqk|kBeJqTFQrCNmQnBT1ihB*Pw1S1S8|m zamSTpj%}j|J`pSVCj6UqxX_o;=$k0g>ewHj#vC^z8H;;o^aJ63`o516IgX$3A%km4rup(v??F=BS>j`YB=U=!A+7jkdwB+!@_rZX!N*@y`aPv~uj{1X3ei7>wP zgb?yxLe1H{Pipu-x{x#1lg{WdE9vMhv&UHJLd4xCHPn-_KjGSrRuz~J&rd>%ix<;v zlNc(eva0rbI3_I;5`T1X)L0}Wm^;M!>)xq|vB>LlvW)#vZ0==Umcw~-3i5)T)GqCvSh<|4X<#^(qSC z^^`MsP-PBRtL6%-H=pq{a#z6+28ljJq(b#~ut{}zHrSnly#iOws(N9kmQl?zN<|x6 ziO+z+%rQTk+mu(SWR`NKqvvi&LUOV(DL5O-WA2-`r@_goqSj#&IAX$Cc{P|-F4>ia zBn74D>JgY(e}}8l(pl#}SLm0lsPraXuku$usC546$w2zzftj`RxUOD&Mp&eYb$Yvn zdf#Y{|3Ns_cZk`&xOB~At&1mrE1 zGK;UR*of2Ff)EupznJ|pSNgibi@n%V38Zc`Xdg*9!bk^=29ZZMm-2Zq$pdd6sG|A_ zfU!qL8%HVgqd}ocJ9Bzv3A#VW9APnCk4b``{zeTISSh+-lJww5-}3UVr22A-uBCzR zuI~Tt;F0Ox*lu^Fdgb_IPA|Dff{-CSFUpSWT%cvjv&K;XP4WjMWnaT<^z2C5~LH&hnyy)6OzE} zK`OzkGQRn@icsMN!Vyh8?DYvT8JJjl08slGc;?X)(w`=zzrpxF5n<~A#l4*^4L}F# zdM*spNbmcb)+lwwo_=rdA}{K!5`dLM4B3_ODdX5wXJL$4=t@VR*L5&=SNwL+J9|Ze zB@RVXcWn*}p;ndu+E69NY6^J}q+%y6uER>g^xGY(o9rkLKfBu96F)u>OodFUbpJ+6?up$^BkgAlrocAuo8Q+ZQ;+~=bHrV z^&z-U*(PCLop_}(Tqbmz%9`{99b$&d65RQ<0TzmRinJz=67mPS*G~wd zq~4*2IpVojT;@c*CeukU>tT|Hk*?o)&?xNIF?+WlSh8LpzFb!4-5zZ92Z!4Vb}TQdfgI7&4B3AXri zAH73sh#4%lS;0hVdtrLB%i+pkiO=UG1i5n7?2IJ| z*6-D7ZhFrc?=M&ejbS5J@t4RHt9yP$1WbPznEqQ}`rBG4E+f%K4q@<}HPjWr?14vp z&kxH(-CV#UvRv9@Tj@Jm=`0e5dVuA7uh=_&dv2#trAx%f=y>>oQ9KTC`D=LD%0Rx6 zNg3K~)dvUko$#ayVH|k!Hrl&y>vCxCQQ<7oGT%CSTSGpoE|`N>t5!V5teeO%0Q@%z@CL{8wi{rCYl1 z?1!jUeutFFJgV+@a6|)&=&+`osh{0saHb8Sp&QXCo0RDZ7eVkidayKrowD0erU)vJURO#-v}ek~D&PR9tPms#ScHl_TD%bgm069V>%C)zXcmBT6nXiS6&H2iVPpQ#^4n7@ zIN6Dos{Y)l2tUy(HvmCO%g*In|9K@<9&9<=-U77NHX!&Qb2SlEexFWJl;7C=;%6AV zNrX64#5;mYuO+t?0)WZS zN}#T_UCRl|TrAy%uR>%3I(m-UDIR#dX6|zGMmKzxUM3__tRbt42X`Ew9Xh@CY~}dU zN8CsM<&XHx2Ybh>dU~Alg~l|v9j`$t)%BAM z;7kJ~X%;iI^B8I@s|O4!po9C++##KWCM7h1QmOh-xY;O)Ox+hhU~@KPZ~9^qi>_y< zAYqJ??RO_-?~i2jtUy<9s@--g9W9XmN&Rq^u!CL>=9zfq;~djHfkzXq6d-p!Mi=Ws zm5e3S2NKEBa8GGq!|zV9^>Yc#3rPHoBC6ed;cVM(VUZwvb@Gz(Utu|C@(_A!PIt~7 z1Xf4;1Z}-BU1`7%aNO%OIh?2-mCG*ZB=|RI3k^wWz?6_%;zTl}2kHikGKPW^RD1Kn z{htG>6Zk$EmM74qizKbmfBy`yo@<3z^lTARBicuifKGol06N{NPZTLVgnqL&UPXWo zUei`;&Pw`{t}m`PwvbMr5K1Hgw=D)X!%6J*s#;2$4v(Q^3Gh+={#~0290=IrB`zCL zRu8(ShS!=wfmnfO@cdgKm<}ha@h9>_&@M@dWvabmhLXP^2GMsc(^$H=OXW`t?;?-P z#z|o1WTppZR8VHo503HR%Be6|w}r1O1x({IkLjo1Dv+~|StHRejFq=GWw|@%p?x`A zvKNy&D3ntx^L`|K#@0F&BmAK+o=jG_UPx)YvlhXssW6@Ql2$unurB9p2#*)y?MK~v;v9rZ!AjR z-WBLDAzj=Pv^Hpu-*j7>$)0L+Hw)bz zy%X6Css}D>qWAsKrTLP>hNI z0vL}=odT5490+?v@XW$MltO?)R?P3BS3r4gb8>UF*OswNCrc<4E>q!m>t0thgHc65 zsEY}nu|DGKsryMlN(Qfmg?`Mt8vWRdwA=a?V_P8 z2^qY6bMXw*`^oX$nMxpU+`~+!*<^*W3w@Xo$C}w);_7pL8Ox`kEpK4v6bXc=9O_zO zzAc5rxms)L69X|Zi3x5l?;K6)CLo%W;y+HgbEA{6KqU?J_wxQl5|1?64L7!r5(BC! z^vL(hLh}Ga71U=MM6ci({DY&I9PteOwkC%;5$~ECyt(id5to#mN*2P?>VU))X*LV7 z4`7ec7tO7t(*tQXmT^DV{?ECi6k{C%J+PQT8cJZsj^b;_^bL+53RWUW#GR%8W@S7} zk3L}5=AHec(F!)=0_97ad3DHc)IjNlNOIxIU%=zzN4wbtT>Jw(eJ#) z^d*-H@oL$^OJqyQ8@@nH4~>j}0xD+&b;!vSs_cS+2$h~I)Q{qlSx=9>UJS(@w?*S% zHtoEPa)L|5eP6}NZVfc3tjgzEbKCW!SNCnk!fk4S6_=D8m%={-s9_Zf>1c%-$i1cD z*D0RCrV@+oaF*_Wah$+*2d!2_=yL)h&@`{cftgo1F^*&Pn z885z`-Usj`bnrX@dqowBfPQ3PEH?nM|;*dpuz*+%P_U|*fm1>tAFr7E?(EO7Y@iE z#g!bdQVx&DyXF0x?@+U<=K~pNVU#gah9h=O-Itf*r@A9J(F4}w< zm-IyKO>?|>%HuR3Trxtt{B#m_$QUv&+p*W>dHs(1?g5^j52Q%mIGL^*eZNyfHD5m! zD`e>Hp56i>nzC2g=#W)ZQk-7{Aj^4|xc%wO*WE{X-6=O{_$Pf|)i+#=SDzxdAI_$KpK+@YVP7CW~rRzdHXO9UF!gZ?va4thJpy- zEh%8gJY^5$5wqHb_19aS{(!TMGUSk9ucx!xRWqTuc(b5DU`6mLeHlZY1`$gYx`eBHUchTR|;7#kREY{hOJrRtF(ojix^E zCN9v*1H>5@>+|dq9PIT?RGGS`GEjVCy39bZO|Bv9OJ0h{jwt1m{=cj2IJPFgg#rST zVRfa6GLY?+yGyOq4|fef(nTg2o&gcVU8`?t_Ce$>XT_T)5eH+L* z;$K#^Hp21W5i*=G`Md*xxV92G99{eo<=|oZj9HKeRzv`-_6qgEyez2e3GF9_t36B^ zz6PM!kU%bdqW&OdCf5z0xKI2G2ayWG7+^DmrqOxUTvNmSzLrv|b;BF?tc z?)9ZnrD?t`W_fE&pAYEOwi&Idx4AKtCi}Q95$+C^vMeu=i{l>0w4u{Qp82)-e(dfY z!jLIX`;6X&hD0tJ#$%V0F^_8JdM1(0aBKBq4vn-a zlJ;l&yCSlGyVSn*mr9b2iWJA)9d5t6;pYPo#(i%$tK8S3m};#}VJXDk;@=vD>fzqN zQ#gYX?KkOiRq+>0?5pv7XSO1Kx$=`Kf@8 zH5f}&w?#<4;``A+Md7rZz5NCyEgh*%$&mT(0OX$N%?ER^UK&!D%75>pIx+~b2y4{T zgUVnO+h}9tgnBgd9-|Pi&hLVrh3?R&^-G!G*9S1dRPRoFWjdKo5874m7iSUC7&Ji< zxDUM>0Ujy92UNS1r$oAshkM-GOE$&mA&c3?Ky#!O`PL?C1LuvsYMUnSIR;Q83rj4T zRRCBx63A>V^13R**YfXi@1H)}>#sfpem(`{^@Q^nW8d>UD{#ee)y&V5K`Z;JPDSm) zf=Zr?ICfEQ>(INFXKgp%y_b!4bs)5hSX9}ZNjwWMk<2JK5a(9}ymW2YPA-r=^6PEp zESWJ&E&j_NPyW4d$o}WekFu9RZn)!t*roAEc9gDG{o@w5HNC-)I-y+sPUf+;6)OEs zrm^}JeZRfnD~G@C;|eW{&-}ekljS!jli{K;yqVbX!<(7i*#0zFeF6|u|Ev-h3IkhYn}b9p z%SgB{46iQL5(9E#;0RPkdz-%a0ZB2@8+&VrYWepVItiD@5^2J0#RN}rNgj-=|E@SX znj1NS0qPBKJEbA6MlPa1E^2xNnj@vN8gyKlAhV-oKx4-z+OcE)Pg+exCnE zO_!y*KaZWUO1JFpjpkxuOY3X5y$r{CWL+uLqiJ7#@}O%%5`B6mkWT*+l(~3=oS(Zg7Vi-+))jti zQGe*Nu%*vXfDwp0wR?oSymOPexAJ(YgK08n(aP*G-$oRx1V=}V*_favj37JR)yZE} zy(XaHTc0WdYv_ZhuvuEy2Uj%&*0%b}7t$F?rxl+>di*r92>hSY!ZVh;K|7*d!v~`xK3&t^1Y8>Mk2+9#-5Zz7N^K| z8jMvax1Fq17`D|j142>|*x({TGx$y@sOM#B!%pj}6#?b{^nX8fQw^FWs+@7Q1JiHo$;8(<@I2 z=m~Q}d<3Gpe@A-W?HiH9ZY>q=c|q#QbW3~JFr;H%hmb-IJ455j3 zh5foPq$@7uu1a2ycMOs-1<(!+gyBft%1*3`y%j;Rt!}0uV>$o<)&NPbJ(J$`k+br! zt|+_fBXx8i{`^``qv@ofq8RPMLW5wleeT75O0qGkXL8b{xf7J^bT+XIQl}R3-UTH( z%LS~YM>Zjk1iwtG62?51$IfR(eWJ>{m(S{}q)I4i69UoDyqgakrg@dpTs{q+L>PRf zO6i#*_sN*VG_B3_m3+aBu6s)3lR?s95t2yHHg-=VJv-=*puAQtD`|yINUpl3od4fG z&yZ0iBmw?3#jB*{!tfHn{E?AM_t>Ho`(B2bLr4urj&M+CX~>(>V=c zZ9M6YLGIY(T0DD1(4mu_DW5_ZUk_H2$fmU6=H#{$FdAbn$m z-#~ckm8xwI+7R-He5+QmNuhcUbmxGM!NtVm#5EvhTX%Bo90lV$&eK><-%`nU!!nOaZ{p@$l^TPr){6L*;%&1TU(#nhdsF}2H;RXFSdWKZ z^pgT}S`h3FjYdg!&_&n?GzCLrcWD`bKBi_3mmp}T+wd8w$mO*n&JyMi^3BD1-TMi- zQ8CIo#U_^G8FgsEz9Q32eREd{< z9L2$m3zJbQ2X=siqt`w}IIxRa2pHq#_G0k^h4Na6b#}Z!Oh{=?;7O^QL=^qrFXO3_ zXGz?rsi}+ikDInT*)~_>gcYye;(Olo9`-Kh^p3Zx*((1E^*Y8p-EF?wyEHrg<#{Y( z*SUBU*>vMj5&i4baBw`e!ZcxWQAn#|F$}}pFp?ZAxL@Fmat7uV*gqm0L$*+;bC}yg zQkI{Mts>Y?SDa1WHhzzxI??3)bIrnr@q6Dhv&pS*57;b%?eM&8ay~be@`g2N+2-dE z86VUb8r$%F#6z)%c=y60>2}Tzd^ajSECKp_7!gB#Pq7Ctguxu^k&Vr&;4rO~6>XqZ zox47d?=!(7?B{~=rPb^ffDLSOqR0o04lu5!m+?MDH6{hM)3a3bn_yKm_R7K&AN?;-^ffNA?ig=+ zU0~ZTuaxDzsF6i*;Dvv~by2pjXUoRk$p6qATJ>~XzTA$aM7wP7ZG?Ge$)aXCD9cio zLDzevBE4+s)t#vJ2T;=dLG5w5^ZdkzM$d?U6xd|Ee^zv0T4B>& zQA5VkR-^anV%3Vvo__g|SLRu>MK37id2*^tCm1xs?HutAn$U44CI=HD$zbe}T}E$C z$*uv@+r5*j9{JON-<;Ccz%-h22>Wehsc%JgM^OpjgJWEm*)EuD{OaxVbPR1NHO|2p z_$)Gt^qa6zW>-fO+O@%01-W(J5h(gz*1H?x3_3zSdiIGNqv>zY*DZzO%Na^_KCKta zP1lenQMwVKh^i0b%)`Dw{alL#o_?YZG1JJa?1~8;>&mT~;^mW(v#He!#Yjq?S+w17 zWBdlV%OD}wRLXjidM2g@pO}KpBaA!*;j1!9HC&sIIhYzqN;!8MkU8x)+l!Yhf?bWC z(XBWNHfHE^==buzqdH`~$W%}m$)dGm93;#89>ql}?h;8z2_y{eK*EqlF9vU;r5y~iQ7uqomT6UsIi%HK zb^KFG!@}dVkyy4=Ew|Y;O;&M5aR_gk|+Jmv8 zIwrE&y*|dQZ*Jfvw@hCC*p4lcDBrPjj=;+Ekz~YiMHRRT1-p`dQ~HzNgI8 zhx9X6?*q@mPaGPq{BsoU=}|nJMu9IA94cRs?aTLt(yTMx2!F|3)){?Vi%OFgu#3Yg zv0WB`RXQy8WdOz#$Cbh5L9M75*4&xD!~g6gF%w-9`|xWB ziG;EKfJKkqcGsZLRna+ebO^H74Vw1-g!!Hr$legW=!7{9=?Hes!|GG?(BY~b=Fb^`;>e4Fl))#{NIa7#Fu zZl)$Bsz7at>pHbfcK+c)?&%V2a;#9Ewo*`+FC`N!`^hf7Ur3qepoA=yn3O&q)y9@b z`Gh>m_WU|U=iTOzVz`e6n7BMMWVl}hKmRM{SHF<}zN}+hInfKw8uL7o1-;{uwBYx# z+1mHr2vvRB{i*ISd$hY#-PBmUeAY=ubJ)mW%<7O_P~{6PiD55lz^x9m!+4xzCELE^ zddK!lr;v0ql@_;QXQK)REp5AkbU03(OsqQAy-hbM1^B_erBR57Ka{IPzZ}mlF}3j8Eg24iYt9iP7;}>PfUK=S)!A-M6~u9;)uCQK_*_HL?F7I$c%`CA)~XJYJlnekxcr#7OHsyjJB zu^p(y4mjTYGrdK_9!(ygPWsBruQ+py5PJ#J9G9Yu*s;xgXL z&nb^Cx6eKVxW)B-|H}Q#z_->qB&T$fPj8J*wPXtYvtxVBQ1(TgAJM^*ijwTlt?wpxMrZkP?T&(9A0-lE_8?#AaAUacxjELn&t zRdWV#nLkd=ud4ur3Fkim@&U*Aqj~hUW%Ta@C3L)D1i+bh&_N)|{}?z3$O5#Q|1tJ= zC#s2~qwVi=|07O(&Q(n;aH>(DXC0t(|MsE<-{Sl`!rz5R+#?Uf5(a@VKL63n`Pb;B zyZ4=Vrw diff --git a/data/cis-xlsx-ocp-to-oscal-catalog.config b/data/cis-xlsx-ocp-to-oscal-catalog.config deleted file mode 100644 index cbcc110..0000000 --- a/data/cis-xlsx-ocp-to-oscal-catalog.config +++ /dev/null @@ -1,7 +0,0 @@ -[task.cis-xlsx-to-oscal-catalog] - -title = CIS Red Hat OpenShift Container Platform Benchmark -version = v1.2.0-2 -input-file = CIS_RedHat_OpenShift_Container_Platform_Benchmark_v1.2.0-2.xlsx -output-dir = catalogs/ocp-v1.2.0-2 -output-overwrite = true From d09b8876c5813fe415e4b22129640019e26eb84c Mon Sep 17 00:00:00 2001 From: Lou DeGenaro Date: Wed, 12 Feb 2025 16:08:29 -0500 Subject: [PATCH 04/14] Initial content by importing CaC ocp-oscal-catalogs then adjusting Signed-off-by: Lou DeGenaro --- CHANGELOG.md | 75 - CODEOWNERS | 5 - LICENSE | 201 + MAINTAINERS.md | 13 + README.md | 4 +- catalogs/cis-v8/catalog.json | 2899 ++++ catalogs/ocp4-cis/catalog.json | 12159 ---------------- .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.1.md | 47 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.10.md | 83 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.11.md | 35 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.12.md | 37 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.13.md | 44 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.14.md | 40 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.15.md | 39 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.16.md | 37 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.17.md | 41 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.18.md | 35 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.19.md | 47 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.2.md | 42 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.20.md | 40 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.21.md | 38 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.3.md | 47 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.4.md | 43 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.5.md | 43 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.6.md | 38 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.7.md | 46 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.8.md | 41 - .../ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.9.md | 84 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.1.md | 49 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.10.md | 46 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.11.md | 41 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.12.md | 45 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.13.md | 49 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.14.md | 46 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.15.md | 41 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.16.md | 51 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.17.md | 44 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.18.md | 44 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.19.md | 47 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.2.md | 37 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.20.md | 38 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.21.md | 68 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.22.md | 49 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.23.md | 36 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.24.md | 46 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.25.md | 46 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.26.md | 35 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.27.md | 39 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.28.md | 38 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.29.md | 49 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.3.md | 39 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.30.md | 51 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.31.md | 47 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.32.md | 41 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.33.md | 49 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.34.md | 47 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.35.md | 46 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.4.md | 50 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.5.md | 50 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.6.md | 39 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.7.md | 42 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.8.md | 47 - .../ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.9.md | 51 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.1.md | 61 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.2.md | 69 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.3.md | 41 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.4.md | 43 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.5.md | 37 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.6.md | 35 - .../ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.7.md | 42 - .../ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.1.md | 75 - .../ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.2.md | 76 - md_catalogs/ocp4-cis/CIS-2/CIS-2.1.md | 55 - md_catalogs/ocp4-cis/CIS-2/CIS-2.2.md | 41 - md_catalogs/ocp4-cis/CIS-2/CIS-2.3.md | 48 - md_catalogs/ocp4-cis/CIS-2/CIS-2.4.md | 54 - md_catalogs/ocp4-cis/CIS-2/CIS-2.5.md | 40 - md_catalogs/ocp4-cis/CIS-2/CIS-2.6.md | 47 - md_catalogs/ocp4-cis/CIS-2/CIS-2.7.md | 53 - .../ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md | 55 - .../ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.1.md | 65 - .../ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.2.md | 46 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.1.md | 41 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.10.md | 37 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.2.md | 36 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.3.md | 42 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.4.md | 37 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.5.md | 41 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.6.md | 37 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.7.md | 42 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.8.md | 38 - .../ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.9.md | 37 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.1.md | 37 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.10.md | 35 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.11.md | 48 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.12.md | 43 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.13.md | 69 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.2.md | 49 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.3.md | 44 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.4.md | 40 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.5.md | 51 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.6.md | 33 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.7.md | 56 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.8.md | 34 - .../ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.9.md | 44 - .../ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.1.md | 51 - .../ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.2.md | 25 - .../ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md | 38 - .../ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md | 27 - .../ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.5.md | 29 - .../ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.6.md | 31 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.1.md | 54 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.2.md | 41 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.3.md | 41 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.4.md | 41 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.5.md | 42 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.6.md | 49 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.7.md | 44 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.8.md | 48 - .../ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.9.md | 39 - .../ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.1.md | 31 - .../ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.2.md | 35 - .../ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.1.md | 31 - .../ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.2.md | 27 - .../ocp4-cis/CIS-5/CIS-5.5/CIS-5.5.1.md | 27 - .../ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.1.md | 33 - .../ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.2.md | 29 - .../ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.3.md | 27 - .../ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.4.md | 42 - 129 files changed, 3115 insertions(+), 17607 deletions(-) delete mode 100644 CODEOWNERS create mode 100644 LICENSE create mode 100644 MAINTAINERS.md create mode 100644 catalogs/cis-v8/catalog.json delete mode 100644 catalogs/ocp4-cis/catalog.json delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.10.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.11.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.12.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.13.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.14.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.15.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.16.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.17.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.18.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.19.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.20.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.21.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.8.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.9.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.10.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.11.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.12.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.13.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.14.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.15.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.16.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.17.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.18.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.19.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.20.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.21.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.22.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.23.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.24.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.25.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.26.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.27.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.28.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.29.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.30.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.31.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.32.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.33.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.34.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.35.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.8.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.9.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-2/CIS-2.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.10.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.8.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.9.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.10.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.11.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.12.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.13.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.8.md delete mode 100644 md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.9.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.4.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.5.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.6.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.7.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.8.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.9.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.5/CIS-5.5.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.1.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.2.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.3.md delete mode 100644 md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.4.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fca203..4dc68c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,77 +1,2 @@ # Changelog - - -## v0.2.0 (2023-02-15) -### Feature -* Catalog from CIS-b xlsx ([#25](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/25)) ([`0e3af0e`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/0e3af0eb0df0fd535b658225de34815064a0a5ce)) - -### Fix -* Updated CIS-1.1.1 ([#24](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/24)) ([`1c45a6d`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/1c45a6d621375b495b3aa199cc0d6b11f8d0a057)) - -## v0.1.10 (2023-01-11) -### Fix -* Updated CIS-1.1.1 ([#22](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/22)) ([`1f8a930`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/1f8a9309ffc7cc3da0f31ec3ddee58af0579d55b)) - -## v0.1.9 (2023-01-11) -### Fix -* Remove test ([`8533dd1`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/8533dd1295de4dfcdbd48152f48ad5f28fe0d392)) - -## v0.1.8 (2023-01-11) -### Fix -* Test release ([`24adaaa`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/24adaaa546cdf33e3b8d196bec5f71ad64050505)) -* Fix checkout in downstream update workflow ([`a24fab5`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/a24fab5413cf1ed3c797f8e321a5e663bf99c33c)) - -## v0.1.7 (2022-12-17) -### Fix -* Updated CIS-1.1.1 ([#18](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/18)) ([`0356b09`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/0356b097a9bc3517ea46863e84dbc9735184d8ad)) - -## v0.1.6 (2022-12-17) -### Fix -* Test update CIS-1.1.1 ([#16](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/16)) ([`744f310`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/744f310a1ce18dbb72c4480838636bf6c574ac67)) - -## v0.1.5 (2022-12-17) -### Fix -* Updated CIS-1.1.1 ([#15](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/15)) ([`577d506`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/577d5066e44e1d40dbee4e8f95c0dabb99ccd8d5)) - -## v0.1.4 (2022-12-13) -### Fix -* Updated CIS-1.1.1 ([#13](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/13)) ([`21f2880`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/21f2880f8b94c5c131020fbfd27bcbb16dda62ac)) -* Add token to main flow ([`3e4ceae`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/3e4ceaef5189b63a4e356ad47fdfe826385247c5)) -* Add token to dev push ([`e173c9b`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/e173c9bcc2e61b9b5c186f3d77f43372e95ba6e4)) -* Change md ([`59dcf62`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/59dcf62f8b6e0afaf28609df3b48db7e87a4ce9b)) -* Change md ([`0f4e554`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/0f4e554a2813023cd280508ca232f66ba53afddc)) -* Fix username ([`199cbe9`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/199cbe922d019d27047d78edf403c4ce26ed52ae)) -* Update md ([`2cb6d0e`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/2cb6d0e3f372b84c61a207e0e003056e2d8a9c2b)) -* Updated CIS-1.1.1 ([#12](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/12)) ([`aa59fc4`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/aa59fc4b8770026701043697c64be9dbbbeafc6f)) -* Updated CIS-1.1.1 ([#10](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/10)) ([`b034482`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/b034482339981d26b49d6220120f7a446cf3e6e4)) -* Fix automatic pr titles ([`a029cb2`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/a029cb2d9604fef3acba37e99117aa312d36318e)) - -## v0.1.3 (2022-12-13) -### Fix -* Fix automatic downstream pr creation ([`dce9904`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/dce990437381f16ce365fa29631fec69abc24e0c)) - -## v0.1.2 (2022-12-12) -### Fix -* Updated codeowners ([#8](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/issues/8)) ([`b522a29`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/b522a2968fc4e740b09fb66d3c8c69e4c720a4de)) - -## v0.1.1 (2022-12-12) -### Fix -* Change remote ([`967e5c8`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/967e5c850a4d1d4037eddb681327858ec8027651)) -* Add username ([`b25a66f`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/b25a66fff8956245eeda53cb8d74d2d7d73436c5)) -* Add downstream automation ([`2f51316`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/2f51316cbdf496bdebb4e78d7d3e33621c92af76)) -* Add downstream autoupdate ([`8c9bdc7`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/8c9bdc7af0ad9169b5ceb2d79731a4466eed5648)) - -## v0.1.0 (2022-12-11) -### Feature -* Add versioning ([`e558c86`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/e558c8643d56b40667220cc848ed66b2a33fc745)) -* Add release scripts ([`7a90bff`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/7a90bff0ec2e7e3d9f53811c766d2f272cc2346e)) -* Update workflows ([`18d65cc`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/18d65cc00b601c2c1ee93d03aa83e2cf2c2dde43)) -* Merge back on release ([`94ffc13`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/94ffc13ecb352eeb645d77b77b00d0fa27d00af8)) -* Change catalog ([`3c0cfb2`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/3c0cfb2c9de419e01469ab5339e1ccf9989da5f1)) -* Change catalog ([`3781ea7`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/3781ea79a79a8b1c1f49aa6180f9a0e0b8d87684)) -* Add git actions ([`6d098f5`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/6d098f565ea321e81ec8da18001212de862059fd)) - -### Fix -* Close if ([`39d731e`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/39d731ef1e4f2d1996e0356da7306a6f7b4968a2)) -* Update trestle version ([`ec09621`](https://github.com/ComplianceAsCode/ocp-oscal-catalogs/commit/ec096212ba5ab1ac55548f838eb8b85c1145be88)) diff --git a/CODEOWNERS b/CODEOWNERS deleted file mode 100644 index 62119d0..0000000 --- a/CODEOWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# Codeowners file -# Add owners of the files/directories here -* @vikas-agarwal76 @enikonovad @ancatri @degenaro -*.md @vikas-agarwal76 @enikonovad @ancatri @degenaro -*.json @vikas-agarwal76 @enikonovad @ancatri @degenaro diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..b531235 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/MAINTAINERS.md b/MAINTAINERS.md new file mode 100644 index 0000000..da60ba7 --- /dev/null +++ b/MAINTAINERS.md @@ -0,0 +1,13 @@ +Trestle was designed and open sourced by a team based at [IBM Research](https://www.research.ibm.com/) and others around the world. The list includes: + +Alejandro Jose Leiva Palomo [AleJo2995](https://github.com/AleJo2995) + +Christopher Butler [butler54](https://github.com/butler54) + +Lou Degenaro [degenaro](https://github.com/degenaro) + +Jennifer Power [jpower432](https://github.com/jpower432) + +Manjiree Gadgil [mrgadgil](https://github.com/mrgadgil) + +Vikas Agarwal [vikas-agarwal76](https://github.com/vikas-agarwal76) diff --git a/README.md b/README.md index bed8d4b..91c5152 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ -# ocp-oscal-catalogs -OCP Oscal Catalogs \ No newline at end of file +# End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) +End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) \ No newline at end of file diff --git a/catalogs/cis-v8/catalog.json b/catalogs/cis-v8/catalog.json new file mode 100644 index 0000000..7f46442 --- /dev/null +++ b/catalogs/cis-v8/catalog.json @@ -0,0 +1,2899 @@ +{ + "catalog":{ + "uuid":"e95fb23c-57d2-495f-8ab5-2c6b3152bcee", + "metadata":{ + "title":"CIS Controls", + "last-modified":"2022-01-19T16:00:34.033789-05:00", + "version":"8.0", + "oscal-version":"1.0.0", + "props":[ + { + "name":"keywords", + "value":"contol, assessment" + } + ], + "links":[ + { + "href":"https:\/\/controls-assessment-specification.readthedocs.io\/en\/stable\/index.html", + "rel":"alternate", + "media-type":"text\/html" + } + ] + }, + "controls":[ + { + "id":"cisc-1", + "title":"Inventory and Control of Enterprise Assets", + "props":[ + { + "name":"label", + "value":"CIS Control 1" + }, + { + "name":"sort-id", + "value":"cisc-01" + } + ], + "parts":[ + { + "id":"cisc-1_stmt", + "name":"statement", + "prose":"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." + }, + { + "id":"cisc-1_gdn", + "name":"guidance", + "prose":"Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery. Enterprises should know what data is critical to them, and proper asset management will help identify those enterprise assets that hold or manage this critical data, so appropriate security controls can be applied.\n\nExternal attackers are continuously scanning the internet address space of target enterprises, premise-based or in the cloud, identifying possibly unprotected assets attached to enterprises’ networks. Attackers can take advantage of new assets that are installed, yet not securely configured and patched. Internally, unidentified assets can also have weak security configurations that can make them vulnerable to web or email-based malware; and adversaries can leverage weak security configurations for traversing the network, once they are inside.\n\nAdditional assets that connect to the enterprise’s network (e.g., demonstration systems, temporary test systems, guest networks, etc.) should be identified and\/or isolated, in order to prevent adversarial access from affecting the security of enterprise operations.\n\nLarge, complex, dynamic enterprises understandably struggle with the challenge of managing intricate, fast-changing environments. However, attackers have shown the ability, patience, and willingness to “inventory and control” our enterprise assets at very large scale in order to support their opportunities.\n\nAnother challenge is that portable end-user devices will periodically join a network and then disappear, making the inventory of currently available assets very dynamic. Likewise, cloud environments and virtual machines can be difficult to track in asset inventories when they are shut down or paused. Another benefit of complete enterprise asset management is supporting incident response. Both when investigating the origination of network traffic from an asset on the network, and to be able to identify all potentially vulnerable, or impacted, assets of similar type or location during an incident." + } + ], + "controls":[ + { + "id":"cisc-1.1", + "title":"Establish and Maintain Detailed Enterprise Asset Inventory", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 1.1" + }, + { + "name":"sort-id", + "value":"cisc-01.01" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "parts":[ + { + "id":"cisc-1.1_stmt", + "name":"statement", + "prose":"Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing\/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently." + } + ] + }, + { + "id":"cisc-1.2", + "title":"Address Unauthorized Assets", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 1.2" + }, + { + "name":"sort-id", + "value":"cisc-01.02" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"respond" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-1.2_stmt", + "name":"statement", + "prose":"Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset." + } + ] + }, + { + "id":"cisc-1.3", + "title":"Utilize an Active Discovery Tool", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 1.3" + }, + { + "name":"sort-id", + "value":"cisc-01.03" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"detect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-1.3_stmt", + "name":"statement", + "prose":"Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently." + } + ] + }, + { + "id":"cisc-1.4", + "title":"Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 1.4" + }, + { + "name":"sort-id", + "value":"cisc-01.04" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-1.4_stmt", + "name":"statement", + "prose":"Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently." + } + ] + }, + { + "id":"cisc-1.5", + "title":"Use a Passive Asset Discovery Tool", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 1.5" + }, + { + "name":"sort-id", + "value":"cisc-01.05" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"detect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-4.2", + "rel":"dependency" + }, + { + "href":"cisc-12.4", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-1.5_stmt", + "name":"statement", + "prose":"Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently." + } + ] + } + ] + }, + { + "id":"cisc-2", + "title":"Inventory and Control of Software Assets", + "props":[ + { + "name":"label", + "value":"CIS Control 2" + }, + { + "name":"sort-id", + "value":"cisc-02" + } + ], + "parts":[ + { + "id":"cisc-2_stmt", + "name":"statement", + "prose":"Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution." + }, + { + "id":"cisc-2_gdn", + "name":"guidance", + "prose":"A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations.\n\nEven if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released. Some sophisticated attackers use “zero-day exploits”, which take advantage of previously unknown vulnerabilities that have yet to have a patch released by the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released.\n\nManagement of software assets is also important to identify unnecessary security risks. An enterprise should review their software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure." + } + ], + "controls":[ + { + "id":"cisc-2.1", + "title":"Establish and Maintain a Software Inventory", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.1" + }, + { + "name":"sort-id", + "value":"cisc-02.01" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "parts":[ + { + "id":"cisc-2.1_stmt", + "name":"statement", + "prose":"Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install\/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently." + } + ] + }, + { + "id":"cisc-2.2", + "title":"Ensure Authorized Software is Currently Supported", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.2" + }, + { + "name":"sort-id", + "value":"cisc-02.02" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-1.2_stmt", + "name":"statement", + "prose":"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently." + } + ] + }, + { + "id":"cisc-2.3", + "title":"Address Unauthorized Software", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.3" + }, + { + "name":"sort-id", + "value":"cisc-02.03" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"respond" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-2.3_stmt", + "name":"statement", + "prose":"Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently." + } + ] + }, + { + "id":"cisc-2.4", + "title":"Utilize Automated Software Inventory Tools", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.4" + }, + { + "name":"sort-id", + "value":"cisc-02.04" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"detect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.3", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-2.4_stmt", + "name":"statement", + "prose":"Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software." + } + ] + }, + { + "id":"cisc-2.5", + "title":"Allowlist Authorized Software", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.5" + }, + { + "name":"sort-id", + "value":"cisc-02.05" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-2.3", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-2.5_stmt", + "name":"statement", + "prose":"Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently." + } + ] + }, + { + "id":"cisc-2.6", + "title":"Allowlist Authorized Libraries", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.6" + }, + { + "name":"sort-id", + "value":"cisc-02.06" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-2.5", + "rel":"dependency" + }, + { + "href":"cisc-4.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-2.6_stmt", + "name":"statement", + "prose":"Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently." + } + ] + }, + { + "id":"cisc-2.7", + "title":"Allowlist Authorized Scripts", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 2.7" + }, + { + "name":"sort-id", + "value":"cisc-02.07" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-2.7_stmt", + "name":"statement", + "prose":"Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently." + } + ] + } + ] + }, + { + "id":"cisc-3", + "title":"Data Protection", + "props":[ + { + "name":"label", + "value":"CIS Control 3" + }, + { + "name":"sort-id", + "value":"cisc-03" + } + ], + "parts":[ + { + "id":"cisc-3_stmt", + "name":"statement", + "prose":"Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data." + }, + { + "id":"cisc-3_gdn", + "name":"guidance", + "prose":"Data is no longer only contained within an enterprise’s border, it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any size, however there are fundamentals that can apply to all.\n\nOnce attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows.\n\nWhile many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems.\n\nThe enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and more importantly, is a regulatory requirement for most controlled data." + } + ], + "controls":[ + { + "id":"cisc-3.1", + "title":"Establish and Maintain a Data Management Process", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.1" + }, + { + "name":"sort-id", + "value":"cisc-03.01" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "parts":[ + { + "id":"cisc-3.1_stmt", + "name":"statement", + "prose":"Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." + } + ] + }, + { + "id":"cisc-3.2", + "title":"Establish and Maintain a Data Inventory", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.2" + }, + { + "name":"sort-id", + "value":"cisc-03.02" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.2_stmt", + "name":"statement", + "prose":"Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data." + } + ] + }, + { + "id":"cisc-3.3", + "title":"Configure Data Access Control Lists", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.3" + }, + { + "name":"sort-id", + "value":"cisc-03.03" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.2", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + }, + { + "href":"cisc-5.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.3_stmt", + "name":"statement", + "prose":"Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications." + } + ] + }, + { + "id":"cisc-3.4", + "title":"Enforce Data Retention", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.4" + }, + { + "name":"sort-id", + "value":"cisc-03.04" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.1", + "rel":"dependency" + }, + { + "href":"cisc-3.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.4_stmt", + "name":"statement", + "prose":"Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines." + } + ] + }, + { + "id":"cisc-3.5", + "title":"Securely Dispose of Data", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.5" + }, + { + "name":"sort-id", + "value":"cisc-03.05" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.1", + "rel":"dependency" + }, + { + "href":"cisc-3.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.5_stmt", + "name":"statement", + "prose":"Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity." + } + ] + }, + { + "id":"cisc-3.6", + "title":"Encrypt Data on End-User Devices", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.6" + }, + { + "name":"sort-id", + "value":"cisc-03.06" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.6_stmt", + "name":"statement", + "prose":"Encrypt data on end-user devices containing sensitive data. Example implementations can include, Windows BitLocker®, Apple FileVault®, Linux® dm-crypt." + } + ] + }, + { + "id":"cisc-3.7", + "title":"Establish and Maintain a Data Classification Scheme", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.7" + }, + { + "name":"sort-id", + "value":"cisc-03.07" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.1", + "rel":"dependency" + }, + { + "href":"cisc-3.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.7_stmt", + "name":"statement", + "prose":"Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive”, “Confidential” and “Public”, and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard." + } + ] + }, + { + "id":"cisc-3.8", + "title":"Document Data Flows", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.8" + }, + { + "name":"sort-id", + "value":"cisc-03.08" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.1", + "rel":"dependency" + }, + { + "href":"cisc-3.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.8_stmt", + "name":"statement", + "prose":"Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise?s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." + } + ] + }, + { + "id":"cisc-3.9", + "title":"Encrypt Data on Removable Media", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.9" + }, + { + "name":"sort-id", + "value":"cisc-03.09" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.9_stmt", + "name":"statement", + "prose":"Encrypt data on removable media." + } + ] + }, + { + "id":"cisc-3.10", + "title":"Encrypt Sensitive Data in Transit", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.10" + }, + { + "name":"sort-id", + "value":"cisc-03.10" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.2", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.10_stmt", + "name":"statement", + "prose":"Encrypt sensitive data in transit. Example implementations can include, Transport Layer Security (TLS) and Open Secure Shell (OpenSSH)." + } + ] + }, + { + "id":"cisc-3.11", + "title":"Encrypt Sensitive Data At Rest", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.11" + }, + { + "name":"sort-id", + "value":"cisc-03.11" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.11_stmt", + "name":"statement", + "prose":"Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data." + } + ] + }, + { + "id":"cisc-3.12", + "title":"Segment Data Processing and Storage Based on Sensitivity", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.12" + }, + { + "name":"sort-id", + "value":"cisc-03.12" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"network" + }, + { + "name":"security-function", + "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-3.2", + "rel":"dependency" + }, + { + "href":"cisc-12.4", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.12_stmt", + "name":"statement", + "prose":"Segment data processing and storage, based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data." + } + ] + }, + { + "id":"cisc-3.13", + "title":"Segment Data Processing and Storage Based on Sensitivity", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.13" + }, + { + "name":"sort-id", + "value":"cisc-03.13" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-3.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.13_stmt", + "name":"statement", + "prose":"Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensitive data inventory." + } + ] + }, + { + "id":"cisc-3.14", + "title":"Log Sensitive Data Access", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 3.14" + }, + { + "name":"sort-id", + "value":"cisc-03.14" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", + "value":"detect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-3.14_stmt", + "name":"statement", + "prose":"Log sensitive data access, including modification and disposal." + } + ] + } + ] + }, + { + "id":"cisc-4", + "title":"Secure Configuration of Enterprise Assets and Software", + "props":[ + { + "name":"label", + "value":"CIS Control 4" + }, + { + "name":"sort-id", + "value":"cisc-04" + } + ], + "parts":[ + { + "id":"cisc-4_stmt", + "name":"statement", + "prose":"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/IoT devices; and servers) and software (operating systems and applications)." + }, + { + "id":"cisc-4_gdn", + "name":"guidance", + "prose":"As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and maintained over the life cycle of enterprise assets and software. Configuration updates need to be tracked and approved through configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. This CIS Control is important to on-premises devices, as well as remote devices, network devices, and cloud environments.\n\nService providers play a key role in modern infrastructures, especially for smaller enterprises. They often are not set up by default in the most secure configuration to provide flexibility for their customers to apply their own security policies. Therefore, the presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations. These could introduce weaknesses that are under the responsibility of the enterprise that is using the software, rather than the service provider. This extends to ongoing management and updates, as some Platform as a Service (PaaS) only extend to the operating system, so patching and updating hosted applications are under the responsibility of the enterprise.\n\nEven after a strong initial configuration is developed and applied, it must be continually managed to avoid degrading security as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked,” to allow the installation of new software or to support new operational requirements." + } + ], + "controls":[ + { + "id":"cisc-4.1", + "title":"Establish and Maintain a Secure Configuration Process", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.1" + }, + { + "name":"sort-id", + "value":"cisc-04.01" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"applications" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.1_stmt", + "name":"statement", + "prose":"Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing\/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." + } + ] + }, + { + "id":"cisc-4.2", + "title":"Establish and Maintain a Secure Configuration Process for Network Infrastructure", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.2" + }, + { + "name":"sort-id", + "value":"cisc-04.02" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"network" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.2_stmt", + "name":"statement", + "prose":"Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard." + } + ] + }, + { + "id":"cisc-4.3", + "title":"Configure Automatic Session Locking on Enterprise Assets", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.3" + }, + { + "name":"sort-id", + "value":"cisc-04.03" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.3_stmt", + "name":"statement", + "prose":"Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes." + } + ] + }, + { + "id":"cisc-4.4", + "title":"Implement and Manage a Firewall on Servers", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.4" + }, + { + "name":"sort-id", + "value":"cisc-04.04" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.4_stmt", + "name":"statement", + "prose":"Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent." + } + ] + }, + { + "id":"cisc-4.5", + "title":"Implement and Manage a Firewall on End-User Devices", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.5" + }, + { + "name":"sort-id", + "value":"cisc-04.05" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.5_stmt", + "name":"statement", + "prose":"Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed." + } + ] + }, + { + "id":"cisc-4.6", + "title":"Securely Manage Enterprise Assets and Software", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.6" + }, + { + "name":"sort-id", + "value":"cisc-04.06" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"network" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.6_stmt", + "name":"statement", + "prose":"Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential." + } + ] + }, + { + "id":"cisc-4.7", + "title":"Manage Default Accounts on Enterprise Assets and Software", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.7" + }, + { + "name":"sort-id", + "value":"cisc-04.07" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"potect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-5.2", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.7_stmt", + "name":"statement", + "prose":"Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable." + } + ] + }, + { + "id":"cisc-4.8", + "title":"Uninstall or Disable Unnecessary Services on Enterprise Assets and Software", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.8" + }, + { + "name":"sort-id", + "value":"cisc-04.08" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.8_stmt", + "name":"statement", + "prose":"Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function." + } + ] + }, + { + "id":"cisc-4.9", + "title":"Configure Trusted DNS Servers on Enterprise Assets", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.9" + }, + { + "name":"sort-id", + "value":"cisc-04.09" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.9_stmt", + "name":"statement", + "prose":"Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and\/or reputable externally accessible DNS servers." + } + ] + }, + { + "id":"cisc-4.10", + "title":"Enforce Automatic Device Lockout on Portable End-User Devices", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.10" + }, + { + "name":"sort-id", + "value":"cisc-04.10" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"respond" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.10_stmt", + "name":"statement", + "prose":"Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft? InTune Device Lock and Apple? Configuration Profile maxFailedAttempts." + } + ] + }, + { + "id":"cisc-4.11", + "title":"Enforce Remote Wipe Capability on Portable End-User Devices", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.11" + }, + { + "name":"sort-id", + "value":"cisc-04.11" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.11_stmt", + "name":"statement", + "prose":"Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise." + } + ] + }, + { + "id":"cisc-4.12", + "title":"Separate Enterprise Workspaces on Mobile End-User Devices", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 4.12" + }, + { + "name":"sort-id", + "value":"cisc-04.12" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"devices" + }, + { + "name":"security-function", + "ns":"nhttps:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-4.12_stmt", + "name":"statement", + "prose":"Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple? Configuration Profile or Android? Work Profile to separate enterprise applications and data from personal applications and data." + } + ] + } + ] + }, + { + "id":"cisc-5", + "title":"Account Management", + "props":[ + { + "name":"label", + "value":"CIS Control 5" + }, + { + "name":"sort-id", + "value":"cisc-05" + } + ], + "parts":[ + { + "id":"cisc-5_stmt", + "name":"statement", + "prose":"Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software." + }, + { + "id":"cisc-5_gdn", + "name":"guidance", + "prose":"It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public password dump), social engineering a user to give their password, or using malware to capture passwords or tokens in memory or over the network.\n\nAdministrative, or highly privileged, accounts are a particular target, because they allow attackers to add other accounts, or make changes to assets that could make them more vulnerable to other attacks. Service accounts are also sensitive, as they are often shared among teams, internal and external to the enterprise, and sometimes not known about, only to be revealed in standard account management audits.\n\nFinally, account logging and monitoring is a critical component of security operations. While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is important in the development of a comprehensive Identity and Access Management (IAM) program." + } + ], + "controls":[ + { + "id":"cisc-5.1", + "title":"Establish and Maintain an Inventory of Accounts", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 5.1" + }, + { + "name":"sort-id", + "value":"cisc-05.01" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-5.1_stmt", + "name":"statement", + "prose":"Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start\/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently." + } + ] + }, + { + "id":"cisc-5.2", + "title":"Use Unique Passwords", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 5.2" + }, + { + "name":"sort-id", + "value":"cisc-05.02" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "parts":[ + { + "id":"cisc-5.2_stmt", + "name":"statement", + "prose":"Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA." + } + ] + }, + { + "id":"cisc-5.3", + "title":"Disable Dormant Accounts", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 5.3" + }, + { + "name":"sort-id", + "value":"cisc-05.03" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"respond" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-5.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-5.3_stmt", + "name":"statement", + "prose":"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported" + } + ] + }, + { + "id":"cisc-5.4", + "title":"Restrict Administrator Privileges to Dedicated Administrator Accounts", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 5.4" + }, + { + "name":"sort-id", + "value":"cisc-05.04" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-5.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-5.4_stmt", + "name":"statement", + "prose":"Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account." + } + ] + }, + { + "id":"cisc-5.5", + "title":"Establish and Maintain an Inventory of Service Accounts", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 5.5" + }, + { + "name":"sort-id", + "value":"cisc-05.05" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-6.6", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-5.5_stmt", + "name":"statement", + "prose":"Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently." + } + ] + }, + { + "id":"cisc-5.6", + "title":"Centralize Account Management", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 5.6" + }, + { + "name":"sort-id", + "value":"cisc-05.06" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-5.6_stmt", + "name":"statement", + "prose":"Centralize account management through a directory or identity service." + } + ] + } + ] + }, + { + "id":"cisc-6", + "title":"Access Control Management", + "props":[ + { + "name":"label", + "value":"CIS Control 6" + }, + { + "name":"sort-id", + "value":"cisc-06" + } + ], + "parts":[ + { + "id":"cisc-6_stmt", + "name":"statement", + "prose":"Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software." + }, + { + "id":"cisc-6_gdn", + "name":"guidance", + "prose":"Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on managing what access these accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.\n\nThere are some user activities that pose greater risk to an enterprise, either because they are accessed from untrusted networks, or performing administrator functions that allow the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them less secure. This also enforces the importance of using MFA and Privileged Access Management (PAM) tools.\n\nSome users have access to enterprise assets or data they do not need for their role; this might be due to an immature process that gives all users all access, or lingering access as users change roles within the enterprise over time. Local administrator privileges to users’ laptops is also an issue, as any malicious code installed or downloaded by the user can have greater impact on the enterprise asset running as administrator. User, administrator, and service account access should be based on enterprise role and need." + } + ], + "controls":[ + { + "id":"cisc-6.1", + "title":"Establish an Access Granting Process", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.1" + }, + { + "name":"sort-id", + "value":"cisc-06.01" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "parts":[ + { + "id":"cisc-6.1_stmt", + "name":"statement", + "prose":"Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user." + } + ] + }, + { + "id":"cisc-6.2", + "title":"Establish an Access Revoking Process", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.2" + }, + { + "name":"sort-id", + "value":"cisc-06.02" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "parts":[ + { + "id":"cisc-6.2_stmt", + "name":"statement", + "prose":"Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails." + } + ] + }, + { + "id":"cisc-6.3", + "title":"Require MFA for Externally-Exposed Applications", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.3" + }, + { + "name":"sort-id", + "value":"cisc-06.03" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-2.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + }, + { + "href":"cisc-5.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-6.3_stmt", + "name":"statement", + "prose":"Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard." + } + ] + }, + { + "id":"cisc-6.4", + "title":"Require MFA for Remote Network Access", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.4" + }, + { + "name":"sort-id", + "value":"cisc-06.04" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-4.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-6.4_stmt", + "name":"statement", + "prose":"Require MFA for remote network access." + } + ] + }, + { + "id":"cisc-6.5", + "title":"Require MFA for Administrative Access", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.5" + }, + { + "name":"sort-id", + "value":"cisc-06.05" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"1" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-4.1", + "rel":"dependency" + }, + { + "href":"cisc-5.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-6.5_stmt", + "name":"statement", + "prose":"Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider." + } + ] + }, + { + "id":"cisc-6.6", + "title":"Establish and Maintain an Inventory of Authentication and Authorization Systems", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.6" + }, + { + "name":"sort-id", + "value":"cisc-06.06" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"identify" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-6.6_stmt", + "name":"statement", + "prose":"Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently." + } + ] + }, + { + "id":"cisc-6.7", + "title":"Centralize Access Control", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.7" + }, + { + "name":"sort-id", + "value":"cisc-06.07" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"users" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"2" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-1.1", + "rel":"dependency" + }, + { + "href":"cisc-2.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-6.7_stmt", + "name":"statement", + "prose":"Centralize access control for all enterprise assets through a directory service or SSO provider, where supported." + } + ] + }, + { + "id":"cisc-6.8", + "title":"Centralize Access Control", + "props":[ + { + "name":"label", + "value":"CIS Safeguard 6.8" + }, + { + "name":"sort-id", + "value":"cisc-06.08" + }, + { + "name":"asset-type", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"data" + }, + { + "name":"security-function", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"protect" + }, + { + "name":"implementation-group", + "ns":"https:\/\/cisecurity.org\/ns\/oscal", + "value":"3" + } + ], + "links":[ + { + "href":"cisc-5.1", + "rel":"dependency" + } + ], + "parts":[ + { + "id":"cisc-6.8_stmt", + "name":"statement", + "prose":"Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently." + } + ] + } + ] + } + ] + } +} \ No newline at end of file diff --git a/catalogs/ocp4-cis/catalog.json b/catalogs/ocp4-cis/catalog.json deleted file mode 100644 index 3ed34d7..0000000 --- a/catalogs/ocp4-cis/catalog.json +++ /dev/null @@ -1,12159 +0,0 @@ -{ - "catalog": { - "uuid": "9d69e91b-523c-4915-89f1-92731b1b85f7", - "metadata": { - "title": "CIS Red Hat OpenShift Container Platform Benchmark", - "last-modified": "2023-02-15T07:14:21.927553+00:00", - "version": "0.2.0", - "oscal-version": "1.0.2" - }, - "groups": [ - { - "id": "CIS-1", - "title": "Control Plane Components", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-1_smt", - "name": "statement", - "prose": "This section consists of security recommendations for the direct configuration of Kubernetes control plane processes. These recommendations assume that the OpenShift cluster has 3 master nodes, as that is the default configuration on installation. These recommendations may not be directly applicable for cluster operators in environments where these components are managed by a 3rd party such as OpenShift Dedicated, Azure Red Hat OpenShift or Red Hat OpenShift Service on AWS.\n\nAll Audit and Remediation commands assume that you are logged into the OpenShift cluster with the cluster admin role, cluster bound." - } - ], - "groups": [ - { - "id": "CIS-1.1", - "title": "Master Node Configuration Files", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-1.1.1", - "title": "Ensure that the API server pod specification file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#4fa8c2d3-6b4c-428a-a0bb-5e25f4bed301", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.1_smt", - "name": "statement", - "prose": "Ensure that the API server pod specification file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-1.1.1_rationale_statement", - "name": "rationale_statement", - "prose": "The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable only by the administrators on the system." - }, - { - "id": "CIS-1.1.1_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\n```" - }, - { - "id": "CIS-1.1.1_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server.\n\nThe OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. \n\nThe Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 0644.\n\nTo verify pod specification file permissions for the kube-apiserver, run the following command.\n\n```\n#echo “check kube-apiserver pod specification file permissions”\n\nfor i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )\ndo\n oc exec -n openshift-kube-apiserver $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." - }, - { - "id": "CIS-1.1.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.1.2", - "title": "Ensure that the API server pod specification file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#a17d309e-222a-44a5-b2df-e0239742208d", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.2_smt", - "name": "statement", - "prose": "Ensure that the API server pod specification file ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.2_rationale_statement", - "name": "rationale_statement", - "prose": "The API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-1.1.2_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file permissions are managed by the operator." - }, - { - "id": "CIS-1.1.2_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. \n\nThe OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. \n\nThe Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with ownership `root:root`.\n\nTo verify pod specification file ownership for the kube-apiserver, run the following command.\n\n```\n#echo “check kube-apiserver pod specification file ownership”\n\nfor i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name )\ndo\n oc exec -n openshift-kube-apiserver $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml\ndone\n```\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-1.1.3", - "title": "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#f7f556ab-234b-4a8a-a2ca-fec600e826de", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.3_smt", - "name": "statement", - "prose": "Ensure that the controller manager pod specification file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-1.1.3_rationale_statement", - "name": "rationale_statement", - "prose": "The controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-1.1.3_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\n```" - }, - { - "id": "CIS-1.1.3_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift 4 deploys two controller managers: the OpenShift Controller manager and the Kube Controller manager. \n\nThe OpenShift Controller manager is managed as a deployment. The pod specification yaml for openshift-controller-manager is stored in etcd. \n\nThe Kube Controller manager is managed as a static pod. The pod specification file for the openshift-kube-controller-manager is created on control plane nodes at /etc/kubernetes/manifests/kube-controller-manager-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml with permissions 0644.\n\nTo verify pod specification file permissions for the kube-controller-manager, run the following command.\n\n```\n#echo \"check openshift-kube-controller-manager pod specification file permissions\"\n\nfor i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager)\ndo\n oc exec -n openshift-kube-controller-manager $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." - }, - { - "id": "CIS-1.1.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.1.4", - "title": "Ensure that the controller manager pod specification file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#005c3423-193e-4db8-9ea4-a4535d6615dd", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.4_smt", - "name": "statement", - "prose": "Ensure that the controller manager pod specification file ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.4_rationale_statement", - "name": "rationale_statement", - "prose": "The controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-1.1.4_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file permissions are managed by the operator." - }, - { - "id": "CIS-1.1.4_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift 4 deploys two controller managers: the OpenShift Controller manager and the Kube Controller manager. \n\nThe OpenShift Controller manager is managed as a deployment. The pod specification yaml for openshift-controller-manager is stored in etcd. \n\nThe Kube Controller manager is managed as a static pod. The pod specification file for the openshift-kube-controller-manager is created on control plane nodes at /etc/kubernetes/manifests/kube-controller-manager-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml with ownership root:root.\n\nRun the following command.\n\n```\n#echo “openshift-kube-controller-manager pod specification file ownership\"\n\nfor i in $( oc get pods -n openshift-kube-controller-manager -o name -l app=kube-controller-manager)\ndo\n oc exec -n openshift-kube-controller-manager $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-controller-manager-pod.yaml\ndone\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-1.1.5", - "title": "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#17caf35a-2d76-4359-8ff9-dc3b12f2a874", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.5_smt", - "name": "statement", - "prose": "Ensure that the scheduler pod specification file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-1.1.5_rationale_statement", - "name": "rationale_statement", - "prose": "The scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-1.1.5_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n```" - }, - { - "id": "CIS-1.1.5_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4 the kube-scheduler is deployed as a static pod and its pod specification file is created on control plane nodes at /etc/kubernetes/manifests/kube-scheduler-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml with permissions 0644.\n\nTo verify, run the following command. \n\n```\n#Verify openshift-kube-scheduler permissions\n\nfor i in $(oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name)\n do\n oc exec -n openshift-kube-scheduler $i -- \\\n stat -c %a /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n done\n```\n\nVerify that the permissions are `600` or more restrictive." - }, - { - "id": "CIS-1.1.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.1.6", - "title": "Ensure that the scheduler pod specification file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#ba265dc2-094e-48d5-a15a-8b982fb6d579", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.6_smt", - "name": "statement", - "prose": "Ensure that the scheduler pod specification file ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.6_rationale_statement", - "name": "rationale_statement", - "prose": "The scheduler pod specification file controls various parameters that set the behavior of the `kube-scheduler` service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-1.1.6_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file permissions are managed by the operator." - }, - { - "id": "CIS-1.1.6_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the kube-scheduler is deployed as a static pod and its pod specification file is created on control plane nodes at /etc/kubernetes/manifests/kube-scheduler-pod.yaml. It is mounted via hostpath to the kube-controller-manager pods via /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml with ownership `root:root`.\n\nRun the following command. \n\n```\n#Verify openshift-kube-scheduler ownership\nfor i in $(oc get pods -n openshift-kube-scheduler -l app=openshift-kube-scheduler -o name)\n do\n oc exec -n openshift-kube-scheduler $i -- \\\n stat -c %U:%G /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml\n done\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-1.1.7", - "title": "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#a66fe000-f5f1-4fe8-b67f-f2260dd22875", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.7_smt", - "name": "statement", - "prose": "Ensure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-1.1.7_rationale_statement", - "name": "rationale_statement", - "prose": "The etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the `etcd` service in the master node. `etcd` is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-1.1.7_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.7_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/manifests/etcd-pod.yaml\n```" - }, - { - "id": "CIS-1.1.7_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, starting with OpenShift 4.4, the etcd pod specification file is generated by the cluster etcd operator. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml` with permissions `644`.\n\nThe default etcd pod specification file is available here: [openshift/cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml)\n\nRun the following command.\n\n```\n#Verify openshift-etcd permissions\n\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )\ndo\n echo \"check pod $i\"\n oc rsh -n openshift-etcd $i \\\n stat -c %a /etc/kubernetes/manifests/etcd-pod.yaml\ndone\n```\n\nVerify that the permissions are 600 or more restrictive." - }, - { - "id": "CIS-1.1.7_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.1.8", - "title": "Ensure that the etcd pod specification file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#d14ae650-3329-416b-9a3b-bea168fe3742", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.8_smt", - "name": "statement", - "prose": "Ensure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.8_rationale_statement", - "name": "rationale_statement", - "prose": "The etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the `etcd` service in the master node. `etcd` is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-1.1.8_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.8_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file permissions are managed by the operator." - }, - { - "id": "CIS-1.1.8_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, starting with OpenShift 4.4, the etcd pod specification file is generated by the cluster etcd operator. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml` with ownership `root:root`.\n\nThe default etcd pod specification file is available here: [openshift/cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml)\n\nRun the following command :\n\n```\n#Verify openshift-etcd ownership\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )\ndo\n echo \"check pod $i\"\n oc rsh -n openshift-etcd $i \\\n stat -c %U:%G /etc/kubernetes/manifests/etcd-pod.yaml\ndone\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.8_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-1.1.9", - "title": "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#5864249f-943b-4f1c-9a21-2a0a42e92dea", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.9_smt", - "name": "statement", - "prose": "Ensure that the Container Network Interface files have permissions of `600` or more restrictive." - }, - { - "id": "CIS-1.1.9_rationale_statement", - "name": "rationale_statement", - "prose": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system." - }, - { - "id": "CIS-1.1.9_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.9_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file permissions are managed by the operator." - }, - { - "id": "CIS-1.1.9_audit_procedure", - "name": "audit_procedure", - "prose": "The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. \n\nEnsure that the Container Network Interface file permissions, multus, openshift-sdn and Open vSwitch (OVS) file permissions are set to 644 or more restrictive. The SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via hostpath but stored on the container hosts) are stored in the following locations:\n\nCNI/Multus (pod muluts):\n\n`/host/etc/cni/net.d = CNI_CONF_DIR`\n`/host/var/run/multus/cni/net.d = multus config dir`\n\nSDN (pod ovs; daemonset; app=ovs):\n\n`/var/lib/cni/networks/openshift-sdn `\n`/var/run/openshift-sdn`\n\nOVS (container openvswitch):\n\n`/var/run/openvswitch`\n`/etc/openvswitch`\n`/run/openvswitch`\n\nRun the following commands. \n\n```\n\n# For CNI multus\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%a %n\\\" /host/etc/cni/net.d/*.conf\"; done\n\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%a %n\\\" /host/var/run/multus/cni/net.d/*.conf\"; done\n\n# For SDN pods\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c %a {} \\;; done\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %a {} \\;; done\n\n# For OVS pods\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %a {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %a {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %a {} \\;; done \n```\n\nVerify that the config files for the CNI multus pods have permissions of 600 or more restrictive. \n\n`/host/etc/cni/net.d/00-multus.conf = 600`\n`/host/var/run/multus/cni/net.d/80-openshift-network.conf = 600`\n\nVerify that the SDN pods permissions are 600 or more restrictive.\n\n`/var/lib/cni/networks/openshift-sdn/* = 600`\n`/var/run/openshift-sdn/cniserver/config.json = 600`\n\nVerify that the OVS permissions are 600 or more restrictive.\n\n`/var/run/openvswitch/ovs-vswitchd.pid = 600`\n`/etc/openvswitch/conf.db = 600`\n`/etc/openvswitch/system-id.conf = 600`\n`/etc/openvswitch/.conf.db.~lock~ = 600`\n`/run/openvswitch/ovs-vswitchd.pid = 600`\n`/run/openvswitch/ovsdb-server.pid = 644`" - }, - { - "id": "CIS-1.1.9_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.1.10", - "title": "Ensure that the Container Network Interface file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#b679d699-ad77-45c7-9ed4-454a836b1031", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.10_smt", - "name": "statement", - "prose": "Ensure that the Container Network Interface files have ownership set to `root:root`." - }, - { - "id": "CIS-1.1.10_rationale_statement", - "name": "rationale_statement", - "prose": "Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be owned by `root:root`." - }, - { - "id": "CIS-1.1.10_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.10_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file permissions are managed by the operator." - }, - { - "id": "CIS-1.1.10_audit_procedure", - "name": "audit_procedure", - "prose": "The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. \n\nEnsure that the `multu` and `openshift-sdn` file ownership is set to root:root and the Open vSwitch (OVS) file ownership is set to `openvswitch:openvswitch`. \n\nThe SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via `hostpath` but stored on the container hosts) are stored in the following locations:\n\nCNI:\n\n`/etc/cni/net.d`\n`/host/var/run/multus/cni/net.d`\n\nSDN:\n\n`/var/lib/cni/networks/openshift-sdn `\n`/var/run/openshift-sdn`\n\nSDN OVS:\n\n`/var/run/openvswitch`\n`/etc/openvswitch`\n`/run/openvswitch`\n\nRun the following commands.\n\n```\n\n# For CNI multus\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%U:%G %n\\\" /host/etc/cni/net.d/*.conf\"; done\n\nfor i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c \"stat -c \\\"%U:%G %n\\\" /host/var/run/multus/cni/net.d/*.conf\"; done\n\n# For SDN pods\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c \\\"%U:%G\\\" {} \\;; done\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %U:%G {} \\;; done\n\n# For OVS pods in 4.5\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\nfor i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %U:%G {} \\;; done \n\n# For OVS pods in 4.6\nTBD\n```\n\nVerify that the CNI and SDN file ownership is set to `root:root`.\n\n`/host/etc/cni/net.d/00-multus.conf = root:root`\n`/host/var/run/multus/cni/net.d/80-openshift-network.conf = root:root`\n`/var/lib/cni/networks/openshift-sdn = root:root`\n`/var/run/openshift-sdn = root:root`\n\nVerify that the OVS file ownership is set to `openvswitch:openvswitch`.\n\n`/var/run/openvswitch = openvswitch:openvswitch`\n`/etc/openvswitch = openvswitch:openvswitch`\n`/run/openvswitch = openvswitch:openvswitch`" - }, - { - "id": "CIS-1.1.10_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-1.1.11", - "title": "Ensure that the etcd data directory permissions are set to 700 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#1436e335-5bdc-4339-aa7e-ded1e56b015c", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.11_smt", - "name": "statement", - "prose": "Ensure that the etcd data directory has permissions of `700` or more restrictive." - }, - { - "id": "CIS-1.1.11_rationale_statement", - "name": "rationale_statement", - "prose": "`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world." - }, - { - "id": "CIS-1.1.11_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.11_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required. File permissions are managed by the `etcd` operator." - }, - { - "id": "CIS-1.1.11_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml`. The `etcd` database is stored on the container host in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The permissions for this directory on the container host is `700`. \n\nStarting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers.\n\nRun the following commands.\n\n```\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %a%n /var/lib/etcd/member; done\n```\n\nVerify that the permissions are `700`." - }, - { - "id": "CIS-1.1.11_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.1.12", - "title": "Ensure that the etcd data directory ownership is set to etcd:etcd", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#28d31254-ad8d-47c5-a102-594b3db49a4c", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.12_smt", - "name": "statement", - "prose": "Ensure that the `etcd` data directory ownership is set to `etcd:etcd`." - }, - { - "id": "CIS-1.1.12_rationale_statement", - "name": "rationale_statement", - "prose": "`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\nNOTE: The only users that exist on an RHCOS OpenShift node are root and core. This is intentional, as regular management of the underlying RHCOS cluster nodes is designed to be performed via the OpenShift API itself. The core user is a member of the wheel group, which gives it permission to use `sudo` for running privileged commands. Adding additional users at the node level is highly discouraged." - }, - { - "id": "CIS-1.1.12_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.1.12_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required; file ownership is managed by the operator." - }, - { - "id": "CIS-1.1.12_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The `etcd` database is stored on the master nodes in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The ownership for this directory on the `etcd-member` container and on the container host is `root:root`. \n\nStarting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers.\n\nRun the following command.\n\n```\nfor i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %U:%G /var/lib/etcd/member; done\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-1.1.12_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-1.1.13", - "title": "Ensure that the admin.conf file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#5872a0ff-2aea-4191-a31b-d914bdc46ca5", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.1.13_smt", - "name": "statement", - "prose": "Ensure that the `admin.conf` file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-1.1.13_rationale_statement", - "name": "rationale_statement", - "prose": "The `admin.conf` is the administrator `kubeconfig` file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-1.1.13_impact_statement", - "name": "impact_statement", - "prose": "None." - }, - { - "id": "CIS-1.1.13_remediation_procedure", - "name": "remediation_procedure", - "prose": "Execute the command below:\n\n```\nchmod 600 /etc/kubernetes/kubeconfig/admin.config\n```" - }, - { - "id": "CIS-1.1.13_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4 the admin config file is stored in `/etc/kubernetes/kubeconfig` with permissions `644`.\n\nRun the following command.\n\n```\nfor i in $(oc get nodes -o name)\n do\n echo $i\n oc debug $i -- <.`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\nRun the following command:\n\n```\n# TLS Cert File - openshift-kube-apiserver\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.certFile\n\n# TLS Key File\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.keyFile\n```\n\nVerify that the following files exist.\n\n`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt` \n`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key`" - }, - { - "id": "CIS-1.2.30_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-1.2.31", - "title": "Ensure that the --client-ca-file argument is set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#befe3b8f-c971-4274-9724-1df35e87491c", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.2.31_smt", - "name": "statement", - "prose": "Setup TLS connection on the API server." - }, - { - "id": "CIS-1.2.31_rationale_statement", - "name": "rationale_statement", - "prose": "API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate." - }, - { - "id": "CIS-1.2.31_impact_statement", - "name": "impact_statement", - "prose": "TLS and client certificate authentication must be configured for your Kubernetes cluster deployment. By default, OpenShift uses X.509 certificates to provide secure connections between the API server and node/kubelet. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform alerting framework has rules to help identify when a certificate issue is about to occur. These rules consist of the following checks:\n\n- API server client certificate expiration is less than five minutes." - }, - { - "id": "CIS-1.2.31_remediation_procedure", - "name": "remediation_procedure", - "prose": "OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. \n\nYou may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\n```\nUser-provided certificates must be provided in a kubernetes.io/tls type Secret in the openshift-config namespace. Update the API server cluster configuration, the apiserver/cluster resource, to enable the use of the user-provided certificate.\n```" - }, - { - "id": "CIS-1.2.31_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses X.509 certificates to provide secure connections between API server and node/kubelet by default. OpenShift configures the `client-ca-file` value and does not use value assigned to the `client-ca-file` flag. OpenShift generates the necessary files and sets the arguments appropriately. \n\nThe API server is accessible by clients external to the cluster at `api..`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. \n\nRun the following command:\n\n```\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .servingInfo.clientCA\n```\n\nVerify that the following file exists.\n\n`/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt`" - }, - { - "id": "CIS-1.2.31_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-1.2.32", - "title": "Ensure that the --etcd-cafile argument is set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#145df28f-05bb-489e-a5f2-120c097942d7", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.2.32_smt", - "name": "statement", - "prose": "`etcd` should be configured to make use of TLS encryption for client connections." - }, - { - "id": "CIS-1.2.32_rationale_statement", - "name": "rationale_statement", - "prose": "`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the `etcd` server using a SSL Certificate Authority file." - }, - { - "id": "CIS-1.2.32_impact_statement", - "name": "impact_statement", - "prose": "TLS and client certificate authentication must be configured for `etcd`." - }, - { - "id": "CIS-1.2.32_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. Communication with `etcd` is secured by the `etcd` serving CA." - }, - { - "id": "CIS-1.2.32_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift does not use values assigned to the `etcd-cafile` argument. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. OpenShift includes multiple certificate authorities (CAs) providing independent chains of trust, increasing the security posture of the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. Communication with `etcd` is secured by the `etcd` serving CA.\n\nRun the following command\n\n```\n# etcd CA File\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r .storageConfig.ca\n\n# for ocp 4.6 replace jq -r .storageConfig.ca with\n jq -r '.apiServerArguments[\"etcd-cafile\"]'\n```\n\nVerify that the following is returned\n\n`/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt`" - }, - { - "id": "CIS-1.2.32_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-1.2.33", - "title": "Ensure that the --encryption-provider-config argument is set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#d02d38ef-2e86-4dcf-a894-b44ddb562b12", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.2.33_smt", - "name": "statement", - "prose": "Encrypt `etcd` key-value store." - }, - { - "id": "CIS-1.2.33_rationale_statement", - "name": "rationale_statement", - "prose": "`etcd` is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures." - }, - { - "id": "CIS-1.2.33_impact_statement", - "name": "impact_statement", - "prose": "When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:\n\n- Secrets\n- ConfigMaps\n- Routes\n- OAuth access tokens\n- OAuth authorize tokens\n\nWhen you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup." - }, - { - "id": "CIS-1.2.33_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)" - }, - { - "id": "CIS-1.2.33_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. Keys are stored on the filesystem of the master and automatically rotated.\n\nFollow the steps in the documentation to encrypt the `etcd` datastore: Encrypting [etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)\n\nRun the following command to review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully encrypted:\n\n```\n# encrypt the etcd datastore\noc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.reason}{\"\\n\"}{.message}{\"\\n\"}'\n```\n\nThe output shows `EncryptionCompleted` upon successful encryption. \n\n- `EncryptionCompleted`\n- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io`\n\nIf the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again." - }, - { - "id": "CIS-1.2.33_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" - } - ] - }, - { - "id": "CIS-1.2.34", - "title": "Ensure that encryption providers are appropriately configured", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#9e782cd9-b388-4b72-ba8e-5ae74e2fc06f", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.2.34_smt", - "name": "statement", - "prose": "Where `etcd` encryption is used, appropriate providers should be configured." - }, - { - "id": "CIS-1.2.34_rationale_statement", - "name": "rationale_statement", - "prose": "Where `etcd` encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the `aescbc`, `kms` and `secretbox` are likely to be appropriate options." - }, - { - "id": "CIS-1.2.34_impact_statement", - "name": "impact_statement", - "prose": "When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:\n\n- Secrets\n- ConfigMaps\n- Routes\n- OAuth access tokens\n- OAuth authorize tokens\n\nWhen you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup." - }, - { - "id": "CIS-1.2.34_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html)" - }, - { - "id": "CIS-1.2.34_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. No other ciphers are supported. Keys are stored on the filesystem of the master and automatically rotated.\n\nRun the following command to review the Encrypted status condition for the OpenShift API server to verify that its resources were successfully encrypted:\n\n```\n# encrypt the etcd datastore \noc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type==\"Encrypted\")]}{.reason}{\"\\n\"}{.message}{\"\\n\"}'\n```\n\nThe output shows EncryptionCompleted upon successful encryption. \n\n- `EncryptionCompleted`\n- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io`\n\nIf the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again." - }, - { - "id": "CIS-1.2.34_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" - } - ] - }, - { - "id": "CIS-1.2.35", - "title": "Ensure that the API Server only makes use of Strong Cryptographic Ciphers", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1041" - } - ], - "links": [ - { - "href": "#22b065f6-0a4a-4564-86a1-e6a050ebbcca", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.2.35_smt", - "name": "statement", - "prose": "Ensure that the API server is configured to only use strong cryptographic ciphers." - }, - { - "id": "CIS-1.2.35_rationale_statement", - "name": "rationale_statement", - "prose": "TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided." - }, - { - "id": "CIS-1.2.35_impact_statement", - "name": "impact_statement", - "prose": "API server clients that cannot support the custom cryptographic ciphers will not be able to make connections to the API server." - }, - { - "id": "CIS-1.2.35_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the directions above and in the OpenShift documentation Configuring Ingress." - }, - { - "id": "CIS-1.2.35_audit_procedure", - "name": "audit_procedure", - "prose": "Ciphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types:\n\n- Old\n- Intermediate\n- Modern\n- Custom\n\nOnly the Old, Intermediate and Custom profiles are supported at this time. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress and the API server. [Ingress controller configuration parameters](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress)\n\nRun the following commands to verify the cipher suite and `minTLSversion` for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and `Kube APIserver`.\n\n```\n# verify cipher suites\noc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\\-0\\-config\\-system\\-cliconfig}' | jq .servingInfo\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\noc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\noc describe --namespace=openshift-ingress-operator ingresscontroller/default\n```\n\nVerify that the `tlsSecurityProfile` is set to the value you chose. \n\nNote: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2." - }, - { - "id": "CIS-1.2.35_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;" - } - ] - } - ] - }, - { - "id": "CIS-1.3", - "title": "Controller Manager", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-1.3_smt", - "name": "statement", - "prose": "This section contains recommendations relating to Controller Manager configuration flags. In OpenShift 4, the Controller Manager is managed with the cluster Controller Manager Operator. There are two operators: the OpenShift Controller operator and the Kube Controller operator. The OpenShift Controller Manager operator manages the OpenShift Controller Manager. The Kubernetes Controller Manager operator manages and updates the [Kubernetes Controller Manager](https://github.com/kubernetes/kubernetes) deployed on top of [OpenShift](https://openshift.io/). All calls are directed to the OpenShift Controller Manager and then Kubernetes objects are delegated to the Kubernetes Controller Manager." - } - ], - "controls": [ - { - "id": "CIS-1.3.1", - "title": "Ensure that garbage collection is configured as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#e3a167bb-1cbd-4137-b983-f58504c4e56a", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.1_smt", - "name": "statement", - "prose": "Activate garbage collector on pod termination, as appropriate." - }, - { - "id": "CIS-1.3.1_rationale_statement", - "name": "rationale_statement", - "prose": "Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection." - }, - { - "id": "CIS-1.3.1_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.3.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "To configure, follow the directions in [Configuring garbage collection for containers and images](\nhttps://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring)" - }, - { - "id": "CIS-1.3.1_audit_procedure", - "name": "audit_procedure", - "prose": "Two types of garbage collection are performed on an OpenShift Container Platform node: \n\n- Container garbage collection: Removes terminated containers.\n- Image garbage collection: Removes images not referenced by any running pods.\n\nContainer garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. Default values are found here https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604\n\nThe OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a `kubeletConfig` object for each Machine Config Pool using any combination of the following:\n\n- soft eviction for containers\n- hard eviction for containers\n- eviction for images\n\nTo configure, follow the directions in \n\nhttps://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring\n\nTo verify settings, run the following command for each updated `configpool`\n\n```\noc get machineconfigpool\n\n# For each machineconfigpool\noc describe machineconfigpool \n\n#For example\noc describe machineconfigpool master\noc describe machineconfigpool worker\n```\n\nVerify the values for the following are set as appropriate.\n\n`eviction-soft`\n`evictionSoftGracePeriod`\n`evictionHard`\n`evictionPressureTransitionPeriod`" - }, - { - "id": "CIS-1.3.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Enable Anti-Exploitation Features CONTROL:v8 10.5 DESCRIPTION:Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.;TITLE:Establish Secure Configurations CONTROL:v7 5.1 DESCRIPTION:Maintain documented, standard security configuration standards for all authorized operating systems and software.;" - } - ] - }, - { - "id": "CIS-1.3.2", - "title": "Ensure that controller manager healthz endpoints are protected by RBAC", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, T1078, T1548, M1018" - } - ], - "links": [ - { - "href": "#66d532eb-5316-4b56-9a65-2cb7a0905f7e", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.2_smt", - "name": "statement", - "prose": "Disable profiling, if not needed." - }, - { - "id": "CIS-1.3.2_rationale_statement", - "name": "rationale_statement", - "prose": "Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface." - }, - { - "id": "CIS-1.3.2_impact_statement", - "name": "impact_statement", - "prose": "Profiling information would not be available." - }, - { - "id": "CIS-1.3.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required; profiling is protected by RBAC." - }, - { - "id": "CIS-1.3.2_audit_procedure", - "name": "audit_procedure", - "prose": "By default, the Controller Manager operator exposes metrics via the metrics service. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. \n\nProfiling can not be disabled. \n\nTo verify the configuration, run the following command:\n\nRun the following command:\n\n```\n# Verify configuration for ports, livenessProbe, readinessProbe, healthz\noc -n openshift-kube-controller-manager get cm kube-controller-manager-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# Verify endpoints\noc -n openshift-kube-controller-manager describe endpoints\n\n# Test to validate RBAC enabled on the controller endpoint; check with non-admin role\noc project openshift-kube-controller-manager\n\nPOD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}')\n\nPORT=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].spec.containers[0].ports[0].hostPort}')\n\n# Following should return 403 Forbidden\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -k\n\n# Create a service account to test RBAC\noc create -n openshift-kube-controller-manager sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa -n openshift-kube-controller-manager get-token permission-test-sa)\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete -n openshift-kube-controller-manager sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the livenessProbe and readinessProbe are set to path: `healthz`.\n\nVerify that regular users cannot learn anything about the controller manager.\n\nVerify that users with the cluster_admin role can retrieve metrics from the endpoint." - }, - { - "id": "CIS-1.3.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.3.3", - "title": "Ensure that the --use-service-account-credentials argument is set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#3505a93f-6a2a-47c9-b131-a82dff05e6bb", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.3_smt", - "name": "statement", - "prose": "Use individual service account credentials for each controller." - }, - { - "id": "CIS-1.3.3_rationale_statement", - "name": "rationale_statement", - "prose": "The controller manager creates a service account per controller in the `kube-system` namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks." - }, - { - "id": "CIS-1.3.3_impact_statement", - "name": "impact_statement", - "prose": "Whatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the `kube-system` namespace automatically with default roles and `rolebindings` that are auto-reconciled on startup.\n\nIf using other authorization methods (ABAC, Webhook, etc), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles." - }, - { - "id": "CIS-1.3.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "The OpenShift Controller Manager operator manages and updates the OpenShift Controller Manager. The Kubernetes Controller Manager operator manages and updates the [Kubernetes Controller Manager](https://github.com/kubernetes/kubernetes) deployed on top of [OpenShift](https://openshift.io/). This operator is configured via [KubeControllerManager](https://github.com/openshift/api/blob/master/operator/v1/types_kubecontrollermanager.go) custom resource." - }, - { - "id": "CIS-1.3.3_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift, `--use-service-account-credentials` is set to `true` by default for the Controller Manager. The bootstrap configuration and overrides are available here: \n\n[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml)\n\n[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml)\n\nRun the following command on the master node:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"use-service-account-credentials\"][]'\n```\n\nVerify that the `--use-service-account-credentials` argument is set to `true`." - }, - { - "id": "CIS-1.3.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" - } - ] - }, - { - "id": "CIS-1.3.4", - "title": "Ensure that the --service-account-private-key-file argument is set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#f9793b52-6b7b-4e7b-aae7-e19bbbc5fba4", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.4_smt", - "name": "statement", - "prose": "Explicitly set a service account private key file for service accounts on the controller manager." - }, - { - "id": "CIS-1.3.4_rationale_statement", - "name": "rationale_statement", - "prose": "To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate." - }, - { - "id": "CIS-1.3.4_impact_statement", - "name": "impact_statement", - "prose": "You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy." - }, - { - "id": "CIS-1.3.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. OpenShift manages the service account credentials for the scheduler automatically." - }, - { - "id": "CIS-1.3.4_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift starts the Kubernetes Controller Manager with service-account-private-key-file set to `/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`. \n\nThe bootstrap configuration and overrides are available here: \n\n[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml)\n\n[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml)\n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"service-account-private-key-file\"][]'\n```\n\nVerify that the following is returned\n\n`/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`" - }, - { - "id": "CIS-1.3.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" - } - ] - }, - { - "id": "CIS-1.3.5", - "title": "Ensure that the --root-ca-file argument is set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#619a4bf8-1ef8-440e-8b2f-b8eae6ff3e56", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.5_smt", - "name": "statement", - "prose": "Allow pods to verify the API server's serving certificate before establishing connections." - }, - { - "id": "CIS-1.3.5_rationale_statement", - "name": "rationale_statement", - "prose": "Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks.\n\nProviding the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server." - }, - { - "id": "CIS-1.3.5_impact_statement", - "name": "impact_statement", - "prose": "OpenShift clusters manage and maintain certificate authorities and certificates for cluster components." - }, - { - "id": "CIS-1.3.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform." - }, - { - "id": "CIS-1.3.5_audit_procedure", - "name": "audit_procedure", - "prose": "Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq -r '.extendedArguments[\"root-ca-file\"][]'\n```\n\nVerify that the `--root-ca-file` argument exists and is set to `/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt`." - }, - { - "id": "CIS-1.3.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" - } - ] - }, - { - "id": "CIS-1.3.6", - "title": "Ensure that the RotateKubeletServerCertificate argument is set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#6023ef46-fe27-4793-93b7-ce98ced8c51f", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.6_smt", - "name": "statement", - "prose": "Enable kubelet server certificate rotation on controller-manager." - }, - { - "id": "CIS-1.3.6_rationale_statement", - "name": "rationale_statement", - "prose": "`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." - }, - { - "id": "CIS-1.3.6_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.3.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform." - }, - { - "id": "CIS-1.3.6_audit_procedure", - "name": "audit_procedure", - "prose": "Certificates for the kubelet are automatically created and rotated by the OpenShift Container Platform. The kubelet is installed automatically on every RHCOS node. The OpenShift `kubelet-serving-CA` manages certificates for the kubelet. Kubelet certificates are automatically issued and rotated. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq -r '.extendedArguments[\"feature-gates\"][]'\n```\n\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`." - }, - { - "id": "CIS-1.3.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" - } - ] - }, - { - "id": "CIS-1.3.7", - "title": "Ensure that the --bind-address argument is set to 127.0.0.1", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0002, T1106, M1035" - } - ], - "links": [ - { - "href": "#6ebf3416-fb70-4668-877f-7b32f2b95156", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.3.7_smt", - "name": "statement", - "prose": "Do not bind the Controller Manager service to non-loopback insecure addresses." - }, - { - "id": "CIS-1.3.7_rationale_statement", - "name": "rationale_statement", - "prose": "The Controller Manager API service which runs on port 10257/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface" - }, - { - "id": "CIS-1.3.7_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.3.7_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. The OpenShift operators configure this correctly." - }, - { - "id": "CIS-1.3.7_audit_procedure", - "name": "audit_procedure", - "prose": "The `bind-address` argument is not used. The `secure-port` argument is set to `10257`. The `insecure-port` argument is set to `0`. \n\nRun the following command:\n\n```\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq '.extendedArguments[\"secure-port\"][]'\n\noc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data[\"config.yaml\"]' | jq '.extendedArguments[\"port\"][]'\n\n#Following should fail with a http code 403\nPOD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}')\n\noc rsh -n openshift-kube-controller-manager -c kube-controller-manager $POD curl https://localhost:10257/metrics -k\n```\n\nVerify that `secure-port` is set to `10257` and that `port` is set to `0`.\n\nVerify that attempt to access the controller manager metrics fails with a HTTP code 403." - }, - { - "id": "CIS-1.3.7_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use of Secure Network Management and Communication Protocols  CONTROL:v8 12.6 DESCRIPTION:Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" - } - ] - } - ] - }, - { - "id": "CIS-1.4", - "title": "Scheduler", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-1.4_smt", - "name": "statement", - "prose": "This section contains recommendations relating to Scheduler configuration flags. \n\nIn OpenShift 4, the Scheduler is managed with the Kubernetes Scheduler Operator. The Kubernetes Scheduler Operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift Container Platform. The operator is installed with the Cluster Version Operator (CVO). The Kubernetes Scheduler Operator contains the following components:\n\n- Operator\n- Bootstrap manifest renderer\n- Installer based on static pods\n- Configuration observer\n\nBy default, the Operator exposes Prometheus metrics through the metrics service" - } - ], - "controls": [ - { - "id": "CIS-1.4.1", - "title": "Ensure that the healthz endpoints for the scheduler are protected by RBAC", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0002, T1609, M1035" - } - ], - "links": [ - { - "href": "#cbb79ba5-171a-4d74-b1c0-8320a2768d32", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.4.1_smt", - "name": "statement", - "prose": "Disable profiling, if not needed." - }, - { - "id": "CIS-1.4.1_rationale_statement", - "name": "rationale_statement", - "prose": "Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface." - }, - { - "id": "CIS-1.4.1_impact_statement", - "name": "impact_statement", - "prose": "Profiling information would not be available." - }, - { - "id": "CIS-1.4.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "A fix to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488\n\nNone required. Profiling is protected by RBAC and cannot be disabled." - }, - { - "id": "CIS-1.4.1_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`\n\nTo ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. \n\nTo verify the configuration, run the following command:\n\nRun the following command:\n\n```\n# check configuration for ports, livenessProbe, readinessProbe, healthz\n\noc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# Test to verify endpoints\n\noc -n openshift-kube-scheduler describe endpoints\n\nTest to validate RBAC enabled on the scheduler endpoint; check with non-admin role\n\noc project openshift-kube-scheduler\n\nPOD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')\n\nPORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')\n\n# Should return 403 Forbidden\noc rsh ${POD} curl http://localhost:${PORT}/metrics -k\n\n# Create a service account to test RBAC\noc create sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa get-token permission-test-sa)\n\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the livenessProbe and readinessProbe are set to path: `healthz`.\n\nVerify that only users with the `cluster_admi`n role can retrieve metrics from the endpoint.\n\nVerify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" - }, - { - "id": "CIS-1.4.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-1.4.2", - "title": "Verify that the scheduler API service is protected by authentication and authorization", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0002, T1106, M1035" - } - ], - "links": [ - { - "href": "#2ff045aa-73f4-4a43-847e-2800c9103fc5", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-1.4.2_smt", - "name": "statement", - "prose": "Do not bind the scheduler service to non-loopback insecure addresses." - }, - { - "id": "CIS-1.4.2_rationale_statement", - "name": "rationale_statement", - "prose": "The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface" - }, - { - "id": "CIS-1.4.2_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-1.4.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "By default, the `--bind-address` argument is not present, the readinessProbe and `livenessProbe` arguments are set to `10251` and the `port` argument is set to `0`.\n\nCheck the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" - }, - { - "id": "CIS-1.4.2_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1`\n\nTo ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. \n\nThe bind-address argument is not used. Both authentication and authorization are in place.\n\nhttps://github.com/openshift/cluster-kube-scheduler-operator\n\nRun the following command:\n\n```\n# to verify endpoints\n\noc -n openshift-kube-scheduler describe endpoints\n\n# To verify that bind-adress is not used in the configuration and that port is set to 0\noc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data.\"pod.yaml\"' | jq '.spec.containers'\n\n# To test for RBAC: \noc project openshift-kube-scheduler\n\nPOD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}')\n\nPOD_IP=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].status.podIP}')\n\nPORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}')\n\n# Should return a 403\noc rsh ${POD} curl http://${POD_IP}:${PORT}/metrics\n\n# Create a service account to test RBAC\noc create sa permission-test-sa\n\n# Should return 403 Forbidden\nSA_TOKEN=$(oc sa get-token permission-test-sa)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $SA_TOKEN\" -k\n\n# Cleanup\noc delete sa permission-test-sa\n\n# As cluster admin, should succeed\nCLUSTER_ADMIN_TOKEN=$(oc whoami -t)\noc rsh ${POD} curl http://localhost:${PORT}/metrics -H \"Authorization: Bearer $CLUSTER_ADMIN_TOKEN\" -k\n```\n\nVerify that the --bind-address argument is not present and that `healthz` is bound to `port` `10251`.\n\nVerify that only users with the cluster_admin role can retrieve metrics from the endpoint.\n\nVerify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488" - }, - { - "id": "CIS-1.4.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v8 9.3 DESCRIPTION:Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" - } - ] - } - ] - } - ] - }, - { - "id": "CIS-2", - "title": "etcd", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-2_smt", - "name": "statement", - "prose": "This section covers recommendations for etcd configuration.\nThe OpenShift cluster-etcd-operator (CEO) is an operator that handles the scaling of etcd during cluster bootstrap and regular operation. The operator also manages provisioning etcd dependencies such as TLS certificates.\n\nOpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. The following certificates are generated and used by etcd and other processes that communicate with etcd:\n\n- Peer certificates: Used for communication between etcd members.\n- Client certificates: Used for encrypted server-client communication. Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (etcd-client, etcd-metric-client, etcd-metric-signer, and etcd-signer) are added to the openshift-config, openshift-monitoring, and openshift-kube-apiserver namespaces.\n- Server certificates: Used by the etcd server for authenticating client requests.\n- Metric certificates: All metric consumers connect to proxy with metric-client certificates." - } - ], - "controls": [ - { - "id": "CIS-2.1", - "title": "Ensure that the --cert-file and --key-file arguments are set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#2f934076-115e-4a0e-a143-32b8ef9b6ac9", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.1_smt", - "name": "statement", - "prose": "Configure TLS encryption for the `etcd` service." - }, - { - "id": "CIS-2.1_rationale_statement", - "name": "rationale_statement", - "prose": "`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit." - }, - { - "id": "CIS-2.1_impact_statement", - "name": "impact_statement", - "prose": "Client connections only over TLS would be served." - }, - { - "id": "CIS-2.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "OpenShift does not use the `etcd-certfile` or `etcd-keyfil`e flags. Certificates for `etcd` are managed by the `etcd` cluster operator." - }, - { - "id": "CIS-2.1_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift generates these files and sets the arguments appropriately. OpenShift does not use the `etcd-certfile` or `etcd-keyfile` flags. \n\nKeys and certificates for control plane components like `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` are stored with their respective static pod configurations in the directory `/etc/kubernetes/static-pod-resources/*/secrets`. \n\nRun the following command:\n\n```\n\n# For --cert-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--cert-file=[^ ]*\\).*/\\1/'\ndone\n\n# For --key-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--key-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that cert-file and key-file values are returned for each etcd member.\n`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.crt`\n`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.key`\n\nFor example:\n\n`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.crt`\n`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.key`" - }, - { - "id": "CIS-2.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-2.2", - "title": "Ensure that the --client-cert-auth argument is set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#04d99409-c5ca-4dca-b891-b54d04ea091c", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.2_smt", - "name": "statement", - "prose": "Enable client authentication on etcd service." - }, - { - "id": "CIS-2.2_rationale_statement", - "name": "rationale_statement", - "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service." - }, - { - "id": "CIS-2.2_impact_statement", - "name": "impact_statement", - "prose": "All clients attempting to access the etcd server will require a valid client certificate." - }, - { - "id": "CIS-2.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "This setting is managed by the cluster etcd operator. No remediation required." - }, - { - "id": "CIS-2.2_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift installation generates these files and sets the arguments appropriately. The following certificates are generated and used by etcd and other processes that communicate with etcd:\n\n- Client certificates: Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (`etcd-client`, `etcd-metric-client`, `etcd-metric-signer`, and `etcd-signer`) are added to the `openshift-config`, `openshift-monitoring`, and `openshift-kube-apiserver` namespaces.\n- Server certificates: Used by the etcd server for authenticating client requests.\n\nRun the following command on the etcd server node:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--client-cert-auth=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the `--client-cert-auth` argument is set to `true` for each etcd member." - }, - { - "id": "CIS-2.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" - } - ] - }, - { - "id": "CIS-2.3", - "title": "Ensure that the --auto-tls argument is not set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#99e79ffc-d5d4-4ad9-91c9-0115bfc0f6a2", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.3_smt", - "name": "statement", - "prose": "Do not use self-signed certificates for TLS." - }, - { - "id": "CIS-2.3_rationale_statement", - "name": "rationale_statement", - "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service." - }, - { - "id": "CIS-2.3_impact_statement", - "name": "impact_statement", - "prose": "Clients will not be able to use self-signed certificates for TLS." - }, - { - "id": "CIS-2.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "This setting is managed by the cluster etcd operator. No remediation required." - }, - { - "id": "CIS-2.3_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift configures etcd with secure communication. Openshift installs etcd as static pods on control plane nodes, and mounts the configuration files from /etc/etcd/ on the host. The `etcd.conf` file includes `auto-tls` configurations as referenced in `/etc/etcd/etcd.conf`. \n\nOpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. \n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n- Cluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\n# Returns 0 if found, 1 if not found\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; \\\n echo $?\ndone\n```\n\nVerify that 1 is returned for each etcd member." - }, - { - "id": "CIS-2.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-2.4", - "title": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#c480cf85-174b-4355-b88d-00671113c7a1", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.4_smt", - "name": "statement", - "prose": "etcd should be configured to make use of TLS encryption for peer connections." - }, - { - "id": "CIS-2.4_rationale_statement", - "name": "rationale_statement", - "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters." - }, - { - "id": "CIS-2.4_impact_statement", - "name": "impact_statement", - "prose": "etcd cluster peers are set up TLS for their communication." - }, - { - "id": "CIS-2.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "None. This configuration is managed by the etcd operator." - }, - { - "id": "CIS-2.4_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members.\n\nOpenshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-cert-file` and `peer-key-file` configurations as referenced in `/etc/etcd/etcd.conf`.\n\nRun the following command:\n\n```\n\n# For --peer-cert-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-cert-file=[^ ]*\\).*/\\1/'\ndone\n\n# For --peer-key-file\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-key-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the following is returned for each etcd member.\n`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.crt`\n`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.key`\n\nFor example\n`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.crt`\n`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.key`" - }, - { - "id": "CIS-2.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-2.5", - "title": "Ensure that the --peer-client-cert-auth argument is set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#04062f96-b445-49e4-b38d-4951b110f77b", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.5_smt", - "name": "statement", - "prose": "etcd should be configured for peer authentication." - }, - { - "id": "CIS-2.5_rationale_statement", - "name": "rationale_statement", - "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster." - }, - { - "id": "CIS-2.5_impact_statement", - "name": "impact_statement", - "prose": "All peers attempting to communicate with the etcd server require a valid client certificate for authentication." - }, - { - "id": "CIS-2.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "This setting is managed by the cluster etcd operator. No remediation required." - }, - { - "id": "CIS-2.5_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members.\n\nOpenshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-client-cert-auth` configurations as referenced in `/etc/etcd/etcd.conf`. \n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-client-cert-auth=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that the `--peer-client-cert-auth` argument is set to `true` for each etcd member." - }, - { - "id": "CIS-2.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-2.6", - "title": "Ensure that the --peer-auto-tls argument is not set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#634f886c-c6f9-4d79-98fe-a68ec9ce12db", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.6_smt", - "name": "statement", - "prose": "Do not use automatically generated self-signed certificates for TLS connections between peers." - }, - { - "id": "CIS-2.6_rationale_statement", - "name": "rationale_statement", - "prose": "etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication." - }, - { - "id": "CIS-2.6_impact_statement", - "name": "impact_statement", - "prose": "All peers attempting to communicate with the etcd server require a valid client certificate for authentication." - }, - { - "id": "CIS-2.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "This setting is managed by the cluster etcd operator. No remediation required." - }, - { - "id": "CIS-2.6_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift does not use the `--peer-auto-tls` argument. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that\n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n\nCluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\n# Returns 0 if found, 1 if not found\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; \\\n echo $?\ndone\n```\n\nVerify that 1 is returned for each etcd member." - }, - { - "id": "CIS-2.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.;" - } - ] - }, - { - "id": "CIS-2.7", - "title": "Ensure that a unique Certificate Authority is used for etcd", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1022" - } - ], - "links": [ - { - "href": "#2363ce8b-2795-4ad8-b608-b705247cb6ab", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-2.7_smt", - "name": "statement", - "prose": "Use a different certificate authority for etcd from the one used for Kubernetes." - }, - { - "id": "CIS-2.7_rationale_statement", - "name": "rationale_statement", - "prose": "etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. Its access should be restricted to specifically designated clients and peers only.\n\nAuthentication to etcd is based on whether the certificate presented was issued by a trusted certificate authority. There is no checking of certificate attributes such as common name or subject alternative name. As such, if any attackers were able to gain access to any certificate issued by the trusted certificate authority, they would be able to gain full access to the etcd database." - }, - { - "id": "CIS-2.7_impact_statement", - "name": "impact_statement", - "prose": "Additional management of the certificates and keys for the dedicated certificate authority will be required." - }, - { - "id": "CIS-2.7_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. Certificates for etcd are managed by the OpenShift cluster etcd operator." - }, - { - "id": "CIS-2.7_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. OpenShift uses a separate CA for etcd.\n\nThese internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that\n\n- Each cluster CA can only issue certificates for its own purpose within its own cluster. \n- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference.\n\nCluster CAs cannot be influenced by an external CA that the cluster does not control.\n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--trusted-ca-file=[^ ]*\\).*/\\1/'\ndone\n\nfor i in $(oc get pods -oname -n openshift-etcd)\ndo\n oc exec -n openshift-etcd -c etcd $i -- \\\n ps -o command= -C etcd | sed 's/.*\\(--peer-trusted-ca-file=[^ ]*\\).*/\\1/'\ndone\n```\n\nVerify that `--trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt` and `--peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt` are returned for each member." - }, - { - "id": "CIS-2.7_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" - } - ] - } - ] - }, - { - "id": "CIS-3", - "title": "Control Plane Configuration", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-3_smt", - "name": "statement", - "prose": "This section contains recommendations for cluster-wide areas, such as authentication and logging. Unlike section 1 these recommendations should apply to all deployments." - } - ], - "groups": [ - { - "id": "CIS-3.1", - "title": "Authentication and Authorization", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-3.1.1", - "title": "Client certificate authentication should not be used for users", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0003, TA0006, T1078, T1098, M1027, M1032" - } - ], - "links": [ - { - "href": "#8ebb9358-103a-43af-b4c2-e186afa69e70", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-3.1.1_smt", - "name": "statement", - "prose": "Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication." - }, - { - "id": "CIS-3.1.1_rationale_statement", - "name": "rationale_statement", - "prose": "With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation." - }, - { - "id": "CIS-3.1.1_impact_statement", - "name": "impact_statement", - "prose": "External mechanisms for authentication generally require additional software to be deployed." - }, - { - "id": "CIS-3.1.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "Configure an identity provider for the OpenShift cluster. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html). Once an identity provider has been defined, you can use RBAC to define and apply permissions. After you define an identity provider and create a new `cluster-admin` user, remove the `kubeadmin` user to improve cluster security." - }, - { - "id": "CIS-3.1.1_audit_procedure", - "name": "audit_procedure", - "prose": "For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. [Understanding authentication | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html)\n\nThe OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html)\n\nRun the following commands:\n\n```\n\n# To verify user authentication is enabled\noc describe authentication\n\n# To verify that an identity provider is configured\noc get identity\n\n# To verify that a custom cluster-admin user exists\noc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User\n\n# To verity that kbueadmin is removed, no results should be returned\noc get secrets kubeadmin -n kube-system\n```\n\nVerify that authentication is running. \n\nVerify that at least one identity provider is configured.\n\nVerify that at least one user has cluster-admin role. For example\n`NAME: cluster-admin-0` `ROLE: cluster-admin` `SUBJECT:*.kind User`\n\nVerify that the `kubeadmin` user no longer exists" - }, - { - "id": "CIS-3.1.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;" - } - ] - } - ] - }, - { - "id": "CIS-3.2", - "title": "Logging", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-3.2.1", - "title": "Ensure that a minimal audit policy is created", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0003, TA0004, T1543, M1026" - } - ], - "links": [ - { - "href": "#c2f5eee5-88b7-438f-9493-c5746ff68ce2", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-3.2.1_smt", - "name": "statement", - "prose": "Kubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled." - }, - { - "id": "CIS-3.2.1_rationale_statement", - "name": "rationale_statement", - "prose": "Logging is an important detective control for all systems, to detect potential unauthorised access." - }, - { - "id": "CIS-3.2.1_impact_statement", - "name": "impact_statement", - "prose": "Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes." - }, - { - "id": "CIS-3.2.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "No remediation required." - }, - { - "id": "CIS-3.2.1_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries:\n\nThe request line containing:\n\nA Unique ID allowing to match the response line (see #2)\n- The source IP of the request\n- The HTTP method being invoked\n- The original user invoking the operation\n- The impersonated user for the operation (self meaning himself)\n- The impersonated group for the operation (lookup meaning user’s group)\n- The namespace of the request or \n- The URI as requested\n\nThe response line containing:\n- The unique ID from #1\n- The response code\n\nYou can view logs for the OpenShift Container Platform API server or the Kubernetes API server for each master node. Follow the steps in documentation. [Viewing the audit log](https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-nodes-audit-log-basic-viewing_nodes-nodes-audit-log)\n\n```\n\n#To view kube apiserver log files\noc adm node-logs --role=master --path=kube-apiserver/\n\n#To view openshift apiserver log files\noc adm node-logs --role=master --path=openshift-apiserver/\n\n#To verify kube apiserver audit config\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig[]'\n\n#To verify openshift apiserver audit config\noc get configmap config -n openshift-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig[]'\n```\n\nVerify that log files are returned. \n\nVerify the audit log configuration." - }, - { - "id": "CIS-3.2.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Activate audit logging CONTROL:v7 6.2 DESCRIPTION:Ensure that local logging has been enabled on all systems and networking devices.;" - } - ] - }, - { - "id": "CIS-3.2.2", - "title": "Ensure that the audit policy covers key security concerns", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0003, TA0004, T1543, M1026" - } - ], - "links": [ - { - "href": "#86318b47-61fc-4f0e-ac04-fed8c9da28bd", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-3.2.2_smt", - "name": "statement", - "prose": "Ensure that the audit policy created for the cluster covers key security concerns." - }, - { - "id": "CIS-3.2.2_rationale_statement", - "name": "rationale_statement", - "prose": "Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment." - }, - { - "id": "CIS-3.2.2_impact_statement", - "name": "impact_statement", - "prose": "Increasing audit logging will consume resources on the nodes or other log destinations." - }, - { - "id": "CIS-3.2.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "In OpenShift 4.6 and higher, if appropriate for your needs, modify the audit policy." - }, - { - "id": "CIS-3.2.2_audit_procedure", - "name": "audit_procedure", - "prose": "Review the audit policy provided for the cluster and ensure that it covers at least the following areas:\n\n- Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data.\n- Modification of pod and deployment objects.\n- Use of `pods/exec`, `pods/portforward`, `pods/proxy and services/proxy`.\n\nFor most requests, minimally logging at the Metadata level is recommended (the most basic level of logging).\n\nAudit policy is supported as of OpenShift 4.6, but not in earlier versions. You can configure the audit feature to set log level, retention policy, and the type of events to log. You can set the log level settings for an overall component or the API server to one of the following. The setting can be different for each setting.\n\n```\n\n#To verify openshift apiserver audit config\noc get configmap config -n openshift-kube-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig.policyConfiguration.rules[]'\n\n#To verify kube apiserver audit config\noc get configmap config -n openshift-apiserver -ojson | \\\n jq -r '.data[\"config.yaml\"]' | \\\n jq '.auditConfig.policyConfiguration.rules[]'\n```" - }, - { - "id": "CIS-3.2.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Enforce Detail Logging for Access or Changes to Sensitive Data CONTROL:v7 14.9 DESCRIPTION:Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).;TITLE:Enforce Detailed Audit Logging For Sensitive Information CONTROL:v6 14.6 DESCRIPTION:Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.;" - } - ] - } - ] - } - ] - }, - { - "id": "CIS-4", - "title": "Worker Nodes", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-4_smt", - "name": "statement", - "prose": "This section consists of security recommendations for the components that run on Kubernetes worker nodes.\n\nNote that these components may also run on Kubernetes master nodes, so the recommendations in this section should be applied to master nodes as well as worker nodes where the master nodes make use of these components." - } - ], - "groups": [ - { - "id": "CIS-4.1", - "title": "Worker Node Configuration Files", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-4.1_smt", - "name": "statement", - "prose": "This section covers recommendations for configuration files on the worker nodes. As the same files exist on the master nodes, the same commands should be run on all nodes. \n\nIn OpenShift 4, node configuration files are managed by the Machine Config Operator." - } - ], - "controls": [ - { - "id": "CIS-4.1.1", - "title": "Ensure that the kubelet service file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#5523abbc-69be-44aa-b8f0-0d7765282334", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.1_smt", - "name": "statement", - "prose": "Ensure that the kubelet service file has permissions of 600 or more restrictive." - }, - { - "id": "CIS-4.1.1_rationale_statement", - "name": "rationale_statement", - "prose": "The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-4.1.1_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\n```\nchmod 600 /etc/systemd/system/kubelet.service\n```" - }, - { - "id": "CIS-4.1.1_audit_procedure", - "name": "audit_procedure", - "prose": "Kubelet is run as a `systemd` unit and its configuration file is created with `644` permissions.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the permissions are `600` or more restrictive." - }, - { - "id": "CIS-4.1.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-4.1.2", - "title": "Ensure that the kubelet service file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#5ee947fa-4977-45ef-9514-b79a9a6f8f3b", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.2_smt", - "name": "statement", - "prose": "Ensure that the kubelet service file ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.2_rationale_statement", - "name": "rationale_statement", - "prose": "The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-4.1.2_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "By default, the kubelet service file has ownership of `root:root`." - }, - { - "id": "CIS-4.1.2_audit_procedure", - "name": "audit_procedure", - "prose": "Run the following command:\n\n```\n\n# Should return root:root for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-4.1.3", - "title": "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#5c7d8368-40e9-4cca-9c90-c8a1505f9eb8", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.3_smt", - "name": "statement", - "prose": "If `kube-proxy` is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-4.1.3_rationale_statement", - "name": "rationale_statement", - "prose": "The `kube-proxy` kubeconfig file controls various parameters of the `kube-proxy` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\nIt is possible to run `kube-proxy` with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file." - }, - { - "id": "CIS-4.1.3_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\nchmod 600 /config/kube-proxy-config.yaml" - }, - { - "id": "CIS-4.1.3_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with `644` permissions.\n\nRun the following command:\n\n```\n\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname)\ndo\n oc exec -n openshift-sdn $i -- \\\n stat -Lc %a /config/kube-proxy-config.yaml\ndone\n```\n\nVerify that the `kube-proxy-config.yaml` file has permissions of `600`." - }, - { - "id": "CIS-4.1.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-4.1.4", - "title": "If proxy kubeconfig file exists ensure ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#201ef3a5-b95c-4b95-9ca6-041cc45753f3", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.4_smt", - "name": "statement", - "prose": "If `kube-proxy` is running, ensure that the file ownership of its kubeconfig file is set to `root:root`." - }, - { - "id": "CIS-4.1.4_rationale_statement", - "name": "rationale_statement", - "prose": "The kubeconfig file for `kube-proxy` controls various parameters for the `kube-proxy` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-4.1.4_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. The configuration is managed by OpenShift operators." - }, - { - "id": "CIS-4.1.4_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with root:root ownership. \n\nRun the following command:\n\n```\nfor i in $(oc get pods -n openshift-sdn -l app=sdn -oname)\ndo\n oc exec -n openshift-sdn $i -- \\\n stat -Lc %U:%G /config/kube-proxy-config.yaml\ndone\n```\n\nVerify that the `kube-proxy-config.yaml` file has ownership root:root." - }, - { - "id": "CIS-4.1.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-4.1.5", - "title": "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#2679f20e-d437-4fbd-94d3-9300deb20362", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.5_smt", - "name": "statement", - "prose": "Ensure that the `kubelet.conf` file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-4.1.5_rationale_statement", - "name": "rationale_statement", - "prose": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-4.1.5_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "run command:\n\n```\nchmod 600 /etc/kubernetes/kubelet.conf\n```" - }, - { - "id": "CIS-4.1.5_audit_procedure", - "name": "audit_procedure", - "prose": "The node's `kubeconfig` is created with `644` permissions. \n\nRun the following command:\n\n```\n# Check permissions\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/kubelet.conf\ndone\n```\n\nVerify that the permissions are `600`." - }, - { - "id": "CIS-4.1.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-4.1.6", - "title": "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#efb94d9e-c91c-4b0b-8201-aa94f6c582b2", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.6_smt", - "name": "statement", - "prose": "Ensure that the `kubelet.conf` file ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.6_rationale_statement", - "name": "rationale_statement", - "prose": "The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-4.1.6_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.1.6_audit_procedure", - "name": "audit_procedure", - "prose": "The node's `kubeconfig` is created with `root:root` ownership. \n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/kubelet.conf\ndone\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-4.1.7", - "title": "Ensure that the certificate authorities file permissions are set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#119a992c-26bc-44e0-819f-c53616338a13", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.7_smt", - "name": "statement", - "prose": "Ensure that the certificate authorities file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-4.1.7_rationale_statement", - "name": "rationale_statement", - "prose": "The certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-4.1.7_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.7_remediation_procedure", - "name": "remediation_procedure", - "prose": "execute command:\n\n```\nchmod 600 /etc/kubernetes/cert/ca.pem\n```" - }, - { - "id": "CIS-4.1.7_audit_procedure", - "name": "audit_procedure", - "prose": "The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The \n`/etc/kubernetes/cert/kubelet-ca.crt` file has permissions `600`.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/cert/ca.pem\ndone\n```\n\nVerify that the permissions are `600`." - }, - { - "id": "CIS-4.1.7_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-4.1.8", - "title": "Ensure that the client certificate authorities file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#472cc874-97ff-4a4c-81bd-a3b565232455", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.8_smt", - "name": "statement", - "prose": "Ensure that the certificate authorities file ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.8_rationale_statement", - "name": "rationale_statement", - "prose": "The certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-4.1.8_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.8_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.1.8_audit_procedure", - "name": "audit_procedure", - "prose": "The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The \n`/etc/kubernetes/kubelet-ca.crt` file has ownership `root:root`.\n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/ca.pem\ndone\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.8_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-4.1.9", - "title": "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1022" - } - ], - "links": [ - { - "href": "#cec3a4bf-70ae-4eeb-b412-a52803f2e0d6", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.9_smt", - "name": "statement", - "prose": "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of `600` or more restrictive." - }, - { - "id": "CIS-4.1.9_rationale_statement", - "name": "rationale_statement", - "prose": "The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system." - }, - { - "id": "CIS-4.1.9_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.9_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.1.9_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the `kublet.conf` file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/config.json` with file permissions set to `600`.\n\nRun the command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %a /var/lib/kubelet/config.json\ndone\n```\n\nVerify that the permissions are `600`." - }, - { - "id": "CIS-4.1.9_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;TITLE:Minimize And Sparingly Use Administrative Privileges CONTROL:v6 5.1 DESCRIPTION:Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.;" - } - ] - }, - { - "id": "CIS-4.1.10", - "title": "Ensure that the kubelet configuration file ownership is set to root:root", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, TA0007, T1083, T1222, M1026" - } - ], - "links": [ - { - "href": "#daac5ddf-fd89-4f90-acbe-3eaa4706cfb4", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.1.10_smt", - "name": "statement", - "prose": "Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by `root:root`." - }, - { - "id": "CIS-4.1.10_rationale_statement", - "name": "rationale_statement", - "prose": "The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by `root:root`." - }, - { - "id": "CIS-4.1.10_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.1.10_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.1.10_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/kubeconfig` with ownership set to `root:root`.\n\nRun the command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host stat -c %U:%G /var/lib/kubelet/config.json\ndone\n```\n\nVerify that the ownership is set to `root:root`." - }, - { - "id": "CIS-4.1.10_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - } - ] - }, - { - "id": "CIS-4.2", - "title": "Kubelet", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-4.2_smt", - "name": "statement", - "prose": "This section contains recommendations for kubelet configuration. In OpenShift 4, the kubelet is managed by the Machine Config Operator." - } - ], - "controls": [ - { - "id": "CIS-4.2.1", - "title": "Ensure that the --anonymous-auth argument is set to false", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#edffbd8c-2ca8-456c-8ff8-759a7e369a87", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.1_smt", - "name": "statement", - "prose": "Disable anonymous requests to the Kubelet server." - }, - { - "id": "CIS-4.2.1_rationale_statement", - "name": "rationale_statement", - "prose": "When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests." - }, - { - "id": "CIS-4.2.1_impact_statement", - "name": "impact_statement", - "prose": "Anonymous requests will be rejected." - }, - { - "id": "CIS-4.2.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the instructions in the documentation to create a Kubelet config CRD and set the `anonymous-auth` is set to `false`." - }, - { - "id": "CIS-4.2.1_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator and `anonymous-auth` is set to `false` by default.\n\nRun the following command on each node:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep -B4 -A1 anonymous: /etc/systemd/system/kubelet.conf\ndone\n```\n\nVerify that the `anonymous-auth` argument is set to `false`." - }, - { - "id": "CIS-4.2.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.;" - } - ] - }, - { - "id": "CIS-4.2.2", - "title": "Ensure that the --authorization-mode argument is not set to AlwaysAllow", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#97c4e51f-69c2-48d6-8f3c-4820ce812ae7", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.2_smt", - "name": "statement", - "prose": "Do not allow all requests. Enable explicit authorization." - }, - { - "id": "CIS-4.2.2_rationale_statement", - "name": "rationale_statement", - "prose": "Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests." - }, - { - "id": "CIS-4.2.2_impact_statement", - "name": "impact_statement", - "prose": "Unauthorized requests will be denied." - }, - { - "id": "CIS-4.2.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes." - }, - { - "id": "CIS-4.2.2_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the kublet config file is managed by the Machine Config Operator. By default, Unauthenticated/Unauthorized users have no access to OpenShift nodes. Run the following command:\n\n```\n\n#In one terminal, run:\n oc proxy\n\n#Then in another terminal, run:\nfor name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}')\ndo \n curl -sS http://127.0.0.1:8080/api/v1/nodes/$name/proxy/configz | jq -r '.kubeletconfig.authorization.mode'\n done\n\n# Alternative without oc proxy\nPOD=$(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[0].metadata.name}')\n\nTOKEN=$(oc whoami -t)\n\nfor name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}')\ndo\n oc exec -n openshift-kube-apiserver $POD -- curl -sS https://172.25.0.1/api/v1/nodes/$name/proxy/configz -k -H \"Authorization: Bearer $TOKEN\" | jq -r '.kubeletconfig.authorization.mode'\ndone\n```\n\nVerify that access is not successful." - }, - { - "id": "CIS-4.2.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" - } - ] - }, - { - "id": "CIS-4.2.3", - "title": "Ensure that the --client-ca-file argument is set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#b0a79284-59f4-4b12-a7a4-b7fd73d32e36", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.3_smt", - "name": "statement", - "prose": "Enable Kubelet authentication using certificates." - }, - { - "id": "CIS-4.2.3_rationale_statement", - "name": "rationale_statement", - "prose": "The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests." - }, - { - "id": "CIS-4.2.3_impact_statement", - "name": "impact_statement", - "prose": "You require TLS to be configured on apiserver as well as kubelets." - }, - { - "id": "CIS-4.2.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. Changing the `clientCAFile` value is unsupported." - }, - { - "id": "CIS-4.2.3_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift provides integrated management of certificates for internal cluster components. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. The Client CA location for the kubelet is defined in `/etc/kubernetes/kubelet.conf`. \n\nRun the following command:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep -B3 client-ca-file: /etc/systemd/system/kubelet.service\ndone\n```\n\nVerify that the `clientCAFile` exists and is set to `/etc/kubernetes/kubelet-ca.crt`. The output should look like the following:\n\n```\napiVersion: kubelet.config.k8s.io/v1beta1\nauthentication:\n x509:\n clientCAFile: /etc/kubernetes/kubelet-ca.crt\n```" - }, - { - "id": "CIS-4.2.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.;" - } - ] - }, - { - "id": "CIS-4.2.4", - "title": "Verify that the read only port is not used or is set to 0", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#aad9d053-7481-4ef1-a443-dc6fe0aa3909", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.4_smt", - "name": "statement", - "prose": "Disable the read-only port." - }, - { - "id": "CIS-4.2.4_rationale_statement", - "name": "rationale_statement", - "prose": "The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster." - }, - { - "id": "CIS-4.2.4_impact_statement", - "name": "impact_statement", - "prose": "Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API." - }, - { - "id": "CIS-4.2.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "In earlier versions of OpenShift 4, the `read-only-port` argument is not used. \n\nFollow the instructions in the documentation to create a Kubelet config CRD and set the `--read-only-port` is set to `0`." - }, - { - "id": "CIS-4.2.4_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the kubelet is managed by the Machine Config Operator. The kubelet config file is found at `/etc/kubernetes/kubelet.conf`. OpenShift disables the read-only port (10255) on all nodes by setting the `read-only-port` kubelet flag to 0 by default in OpenShift 4.6 and above. In OpenShift 4.5 and earlier, the `read-only-port` argument is not used. \n\nRun the following command:\n\n```\n\noc -n openshift-kube-apiserver get cm kube-apiserver-pod -o yaml | grep --color read-only-port\n\noc -n openshift-kube-apiserver get cm config -o yaml | grep --color \"read-only-port”\n```\n\nFor OpenShift 4.5, verify that nothing is returned. Configuration information is available here: https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141\n\nFor OpenShift 4.6, verify that the `read-only-port` is set to `0`." - }, - { - "id": "CIS-4.2.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" - } - ] - }, - { - "id": "CIS-4.2.5", - "title": "Ensure that the --streaming-connection-idle-timeout argument is not set to 0", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#25b0a20a-b36a-41b7-bd96-6fd4a7dfd325", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.5_smt", - "name": "statement", - "prose": "Do not disable timeouts on streaming connections." - }, - { - "id": "CIS-4.2.5_rationale_statement", - "name": "rationale_statement", - "prose": "Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports. \n\n**Note:** By default, `--streaming-connection-idle-timeout` is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases." - }, - { - "id": "CIS-4.2.5_impact_statement", - "name": "impact_statement", - "prose": "Long-lived connections could be interrupted." - }, - { - "id": "CIS-4.2.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the instructions in the documentation to create a Kubelet config CRD and set the `--streaming-connection-idle-timeout` to the desired value. Do not set the value to `0`." - }, - { - "id": "CIS-4.2.5_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses the kubernetes default of 4 hours for the streaming-connection-idle-timeout argument. Unless the cluster administrator has added the value to the node configuration, the default will be used. The value is a timeout for HTTP streaming sessions going through a kubelet, like the port-forward, exec, or attach pod operations. The `streaming-connection-idle-timeout` should not be disabled by setting it to `zero`, but it can be lowered. Note that if the value is set too low, then users using those features may experience a service interruption due to the timeout. \n\nThe kubelet configuration is currently serialized as an ignition configuration, so it can be directly edited. However, there is also a new `kubelet-config-controller` added to the Machine Config Controller (MCC). This allows you to create a `KubeletConfig` custom resource (CR) to edit the kubelet parameters.\n\nRun the following command on each node:\n\n```\n\n# Should return 1 for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host ps -ef | grep kubelet | grep streaming-connection-idle-timeout\n echo $?\ndone\n\n# Should return 1 for each node\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf\n echo $?\ndone\n```\n\nVerify that the `--streaming-connection-idle-timeout` argument is not set to `0`.\nIf the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to `0`." - }, - { - "id": "CIS-4.2.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.;" - } - ] - }, - { - "id": "CIS-4.2.6", - "title": "Ensure that the --protect-kernel-defaults argument is not set", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#fcb2eff5-95e4-4f94-b1c0-7fd3d06d829a", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.6_smt", - "name": "statement", - "prose": "Protect tuned kernel parameters from overriding kubelet default kernel parameter values." - }, - { - "id": "CIS-4.2.6_rationale_statement", - "name": "rationale_statement", - "prose": "Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior." - }, - { - "id": "CIS-4.2.6_impact_statement", - "name": "impact_statement", - "prose": "You would have to re-tune kernel parameters to match kubelet parameters." - }, - { - "id": "CIS-4.2.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start." - }, - { - "id": "CIS-4.2.6_audit_procedure", - "name": "audit_procedure", - "prose": "The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start.\n\nRun the following command:\n\n```\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n```\n\nVerify that protectKernelDefaults is not present." - }, - { - "id": "CIS-4.2.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Deploy Automated Operating System Patch Management Tools CONTROL:v7 3.4 DESCRIPTION:Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.;" - } - ] - }, - { - "id": "CIS-4.2.7", - "title": "Ensure that the --make-iptables-util-chains argument is set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#576ebaa9-bb17-44ce-98cd-021442090ba2", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.7_smt", - "name": "statement", - "prose": "Allow Kubelet to manage iptables." - }, - { - "id": "CIS-4.2.7_rationale_statement", - "name": "rationale_statement", - "prose": "Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open." - }, - { - "id": "CIS-4.2.7_impact_statement", - "name": "impact_statement", - "prose": "Kubelet would manage the iptables on the system and keep it in sync. If you are using any other iptables management solution, then there might be some conflicts." - }, - { - "id": "CIS-4.2.7_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. The `--make-iptables-util-chains` argument is set to true by default." - }, - { - "id": "CIS-4.2.7_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift sets the `make-iptables-util-changes` argument to true by default. \n\nRun the following command:\n\n```\n\n/bin/bash\nflag=make-iptables-util-chains\nopt=makeIPTablesUtilChains\n\n# look at each machineconfigpool\n\nwhile read -r pool nodeconfig; do\n # true by default\n value='true'\n # first look for the flag\n oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.systemd[][] | select(.name==\"kubelet.service\") | .contents' | sed -n \"/^ExecStart=/,/^\\$/ { /^\\\\s*--$flag=false/ q 100 }\"\n # if the above command exited with 100, the flag was false\n [ $? == 100 ] && value='false'\n # now look in the yaml KubeletConfig\n yamlconfig=$(oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.storage.files[] | select(.path==\"/etc/kubernetes/kubelet.conf\") | .contents.source ' | sed 's/^data:,//' | while read; do echo -e ${REPLY//%/\\\\x}; done)\n echo \"$yamlconfig\" | sed -n \"/^$opt:\\\\s*false\\\\s*$/ q 100\"\n [ $? == 100 ] && value='false'\n echo \"Pool $pool has $flag ($opt) set to $value\"\ndone < <(oc get machineconfigpools -o json | jq -r '.items[] | select(.status.machineCount>0) | .metadata.name + \" \" + .spec.configuration.name')\n```\n\nVerify the `--make-iptables-util-chains` argument is set to true for each `machinepool`. \n\nFor example:\n`Pool master has make-iptables-util-chains (makeIPTablesUtilChains) set to true`\n`Pool worker has make-iptables-util-chains (makeIPTablesUtilChains) set to true`" - }, - { - "id": "CIS-4.2.7_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enforce Access Control to Data through Automated Tools CONTROL:v7 14.7 DESCRIPTION:Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system.;" - } - ] - }, - { - "id": "CIS-4.2.8", - "title": "Ensure that the --hostname-override argument is not set", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#df258d02-632c-46ba-b131-938998ac806f", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.8_smt", - "name": "statement", - "prose": "Do not override node hostnames." - }, - { - "id": "CIS-4.2.8_rationale_statement", - "name": "rationale_statement", - "prose": "Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs." - }, - { - "id": "CIS-4.2.8_impact_statement", - "name": "impact_statement", - "prose": "Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply." - }, - { - "id": "CIS-4.2.8_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.2.8_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, the `--hostname-override` argument is not used. \n\nRun the following command on each machine pool. For example:\n\n```\noc get machineconfig 01-worker-kubelet -o yaml | grep hostname-override\noc get machineconfig 01-master-kubelet -o yaml | grep hostname-override\n```\n\nVerify that `--hostname-override` argument does not exist." - }, - { - "id": "CIS-4.2.8_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use DNS Filtering Services CONTROL:v8 9.2 DESCRIPTION:Use DNS filtering services on all enterprise assets to block access to known malicious domains.;TITLE:Use of DNS Filtering Services CONTROL:v7 7.7 DESCRIPTION:Use DNS filtering services to help block access to known malicious domains.;" - } - ] - }, - { - "id": "CIS-4.2.9", - "title": "Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#1895214f-40e8-4615-b019-61940dfa98cd", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.9_smt", - "name": "statement", - "prose": "Security relevant information should be captured. The `--event-qps` flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of `0` could result in a denial of service on the kubelet." - }, - { - "id": "CIS-4.2.9_rationale_statement", - "name": "rationale_statement", - "prose": "It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data." - }, - { - "id": "CIS-4.2.9_impact_statement", - "name": "impact_statement", - "prose": "Setting this parameter to `0` could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads." - }, - { - "id": "CIS-4.2.9_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the documentation to edit kubelet parameters\n\nhttps://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters\n\n```\nKubeAPIQPS: \n```" - }, - { - "id": "CIS-4.2.9_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift uses the `kubeAPIQPS` argument and sets it to a default value of `50`. When this value is set to > 0, event creations per second are limited to the value set. If this value is set to `0`, event creations per second are unlimited.\n\nRun the following command on each machine pool. For example:\n\n```\n\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n\noc get machineconfig 01-worker-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050\n\noc get machineconfig 01-master-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050\n```\n\nReview the value set for the `kubeAPIQPS` argument and determine whether this has been set to an appropriate level for the cluster. If this value is set to `0`, event creations per second are unlimited." - }, - { - "id": "CIS-4.2.9_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Collect Detailed Audit Logs CONTROL:v8 8.5 DESCRIPTION:Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.;TITLE:Enable Command-line Audit Logging CONTROL:v7 8.8 DESCRIPTION:Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.;" - } - ] - }, - { - "id": "CIS-4.2.10", - "title": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Automated" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#f1854ab5-825d-4054-9a85-32e73db22296", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.10_smt", - "name": "statement", - "prose": "Setup TLS connection on the Kubelets." - }, - { - "id": "CIS-4.2.10_rationale_statement", - "name": "rationale_statement", - "prose": "The connections from the `apiserver` to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the `apiserver` does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks." - }, - { - "id": "CIS-4.2.10_impact_statement", - "name": "impact_statement", - "prose": "TLS and client certificate authentication must be configured for your Kubernetes cluster deployment." - }, - { - "id": "CIS-4.2.10_remediation_procedure", - "name": "remediation_procedure", - "prose": "OpenShift automatically manages TLS authentication for the API server communication with the `node/kublet`. This is not configurable." - }, - { - "id": "CIS-4.2.10_audit_procedure", - "name": "audit_procedure", - "prose": "By default, OpenShift uses X.509 certificates to provide secure connections between the API server and `node/kubelet`. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform manages certificate rotation and the alerting framework has rules to help identify when a certificate issue is about to occur. \n\nRun the following command on each node:\n\n```\noc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data[\"config.yaml\"]' | jq '.kubeletClientInfo' \n```\n\nVerify that the `kubelet-client-certificate` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt`\n\nVerify that the `kubelet-client-key` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kublet-client/tls.key`" - }, - { - "id": "CIS-4.2.10_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-4.2.11", - "title": "Ensure that the --rotate-certificates argument is not set to false", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#ca0ebe3e-495e-4753-80a1-a9b809fe8fd1", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.11_smt", - "name": "statement", - "prose": "Enable kubelet client certificate rotation." - }, - { - "id": "CIS-4.2.11_rationale_statement", - "name": "rationale_statement", - "prose": "The `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." - }, - { - "id": "CIS-4.2.11_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.2.11_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.2.11_audit_procedure", - "name": "audit_procedure", - "prose": "This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled. The feature gate is enabled by default.\n\nRun the following commands:\n\n```\n\n#Verify the rotateKubeletClientCertificate feature gate is not set to false\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot /host cat /etc/kubernetes/kubelet.conf | grep RotateKubeletClientCertificate\ndone\n\n# Verify the rotateCertificates argument is set to true\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf;\ndone\n```\n\nVerify that the `rotateKubeletClientCertificates` feature gate argument is not set to `false`.\n\nVerify that the `rotateCertificates` argument is set to `true`." - }, - { - "id": "CIS-4.2.11_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-4.2.12", - "title": "Verify that the RotateKubeletServerCertificate argument is set to true", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "links": [ - { - "href": "#7fb3efc3-eb24-45a0-a08f-d321b903cd0d", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-4.2.12_smt", - "name": "statement", - "prose": "Enable kubelet server certificate rotation." - }, - { - "id": "CIS-4.2.12_rationale_statement", - "name": "rationale_statement", - "prose": "`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\nNote: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself." - }, - { - "id": "CIS-4.2.12_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-4.2.12_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-4.2.12_audit_procedure", - "name": "audit_procedure", - "prose": "Run the following command on each node:\n\n```\n\n#Verify the rotateKubeletServerCertificate feature gate is on \nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done\n\n# Verify the rotateCertificates argument is set to true\nfor node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')\ndo\n oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf;\ndone\n```\n\nVerify that the `RotateKubeletServerCertificate` argument is set to `true`.\n\nVerify that the `rotateCertificates` argument is set to `true`" - }, - { - "id": "CIS-4.2.12_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-4.2.13", - "title": "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - } - ], - "parts": [ - { - "id": "CIS-4.2.13_smt", - "name": "statement", - "prose": "Ensure that the Kubelet is configured to only use strong cryptographic ciphers." - }, - { - "id": "CIS-4.2.13_rationale_statement", - "name": "rationale_statement", - "prose": "TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided." - }, - { - "id": "CIS-4.2.13_impact_statement", - "name": "impact_statement", - "prose": "Kubelet clients that cannot support modern cryptographic ciphers will not be able to make connections to the Kubelet API." - }, - { - "id": "CIS-4.2.13_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the directions above and in the OpenShift documentation to configure the `tlsSecurityProfile`. [Configuring Ingress](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress)" - }, - { - "id": "CIS-4.2.13_audit_procedure", - "name": "audit_procedure", - "prose": "The set of cryptographic ciphers currently considered secure is the following:\n\n```\n TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\n TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\n TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305\n TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\n TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305\n TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_GCM_SHA256\n```\n\nCiphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types:\n\n- Old\n- Intermediate\n- Modern\n- Custom\n\nOnly the Old, Intermediate and Custom profiles are supported at this time for the Ingress controller. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress, API server and Authentication. https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress\n\nRun the following commands to verify the cipher suite and minTLSversion for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and Kube APIserver.\n\n```\n# needs verification\n\n# verify cipher suites\noc describe --namespace=openshift-ingress-operator ingresscontroller/default\n\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\n\noc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo\n\noc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\\-0\\-config\\-system\\-cliconfig}' | jq .servingInfo\n\n#check value for tlsSecurityProfile; null is returned if default is used\noc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.tlsSecurityProfile\n```\n\nVerify that the cipher suites are appropriate. \n\nVerify that the `tlsSecurityProfile` is set to the value you chose. \n\nNote: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2." - }, - { - "id": "CIS-4.2.13_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;TITLE:Address unapproved software CONTROL:v7 2.6 DESCRIPTION:Ensure that unauthorized software is either removed or the inventory is updated in a timely manner;" - } - ] - } - ] - } - ] - }, - { - "id": "CIS-5", - "title": "Policies", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-5_smt", - "name": "statement", - "prose": "This section contains recommendations for various Kubernetes policies which are important to the security of the environment." - } - ], - "groups": [ - { - "id": "CIS-5.1", - "title": "RBAC and Service Accounts", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-5.1.1", - "title": "Ensure that the cluster-admin role is only used where required", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, TA0004, T1078, T1078.002, M1026" - } - ], - "links": [ - { - "href": "#bcc08c26-c8b2-4455-85b6-e329fcd34a19", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.1.1_smt", - "name": "statement", - "prose": "The RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where and when needed." - }, - { - "id": "CIS-5.1.1_rationale_statement", - "name": "rationale_statement", - "prose": "Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as `cluster-admin` provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as `cluster-admin` allow super-user access to perform any action on any resource. When used in a `ClusterRoleBinding`, it gives full control over every resource in the cluster and in all namespaces. When used in a `RoleBinding`, it gives full control over every resource in the rolebinding's namespace, including the namespace itself." - }, - { - "id": "CIS-5.1.1_impact_statement", - "name": "impact_statement", - "prose": "Care should be taken before removing any `clusterrolebindings` from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to `clusterrolebindings` with the `system:` prefix as they are required for the operation of system components." - }, - { - "id": "CIS-5.1.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "Identify all `clusterrolebindings` to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.\n\nWhere possible, first bind users to a lower privileged role and then remove the `clusterrolebinding` to the cluster-admin role :\n\n```\noc delete clusterrolebinding [name]\n```" - }, - { - "id": "CIS-5.1.1_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift provides a set of default cluster roles that you can bind to users and groups cluster-wide or locally (per project namespace). Be mindful of the difference between local and cluster bindings. For example, if you bind the cluster-admin role to a user by using a local role binding, it might appear that this user has the privileges of a cluster administrator. This is not the case. Binding the cluster-admin to a user in a project grants super administrator privileges for only that project to the user. You can use the oc CLI to view cluster roles and bindings by using the oc describe command. For more information, see [Default Cluster Roles](https://docs.openshift.com/container-platform/4.4/authentication/using-rbac.html#default-roles_using-rbac)\n\nSome of these roles such as cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin allow super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.\n\nReview users and groups bound to cluster-admin and decide whether they require such access. Consider creating least-privilege roles for users and service accounts.\n\nObtain a list of the principals who have access to the cluster-admin role by reviewing the `clusterrolebinding` output for each role binding that has access to the cluster-admin role.\n\n```\n# needs verification\n\n# To get a list of users and service accounts with the cluster-admin role\noc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin\n\n# To verity that kbueadmin is removed, no results should be returned\noc get secrets kubeadmin -n kube-system\n```\n\nReview each principal listed and ensure that cluster-admin privilege is required for it.\n\nVerify that the kubeadmin user no longer exists." - }, - { - "id": "CIS-5.1.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.;" - } - ] - }, - { - "id": "CIS-5.1.2", - "title": "Minimize access to secrets", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1026" - } - ], - "parts": [ - { - "id": "CIS-5.1.2_smt", - "name": "statement", - "prose": "The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation." - }, - { - "id": "CIS-5.1.2_rationale_statement", - "name": "rationale_statement", - "prose": "Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets." - }, - { - "id": "CIS-5.1.2_impact_statement", - "name": "impact_statement", - "prose": "Care should be taken not to remove access to secrets to system components which require this for their operation" - }, - { - "id": "CIS-5.1.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "Where possible, remove `get`, `list` and `watch` access to `secret` objects in the cluster." - }, - { - "id": "CIS-5.1.2_audit_procedure", - "name": "audit_procedure", - "prose": "Review the users who have `get`, `list` or `watch` access to `secrets` objects in the Kubernetes API." - }, - { - "id": "CIS-5.1.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.;" - } - ] - }, - { - "id": "CIS-5.1.3", - "title": "Minimize wildcard use in Roles and ClusterRoles", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, TA0004, T1078, T1078.002, M1026" - } - ], - "parts": [ - { - "id": "CIS-5.1.3_smt", - "name": "statement", - "prose": "Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard \"*\" which matches all items. Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product." - }, - { - "id": "CIS-5.1.3_rationale_statement", - "name": "rationale_statement", - "prose": "The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API." - }, - { - "id": "CIS-5.1.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions." - }, - { - "id": "CIS-5.1.3_audit_procedure", - "name": "audit_procedure", - "prose": "Retrieve the roles defined across each namespaces in the cluster and review for wildcards\n\n```\n\noc get roles --all-namespaces -o yaml\n\nfor i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done\n```\n\nRetrieve the cluster roles defined in the cluster and review for wildcards\n\n```\noc get clusterroles -o yaml\n\nfor i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done\n```" - }, - { - "id": "CIS-5.1.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;" - } - ] - }, - { - "id": "CIS-5.1.4", - "title": "Minimize access to create pods", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, TA0004, T1078, T1078.002, M1026" - } - ], - "parts": [ - { - "id": "CIS-5.1.4_smt", - "name": "statement", - "prose": "The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access) As such, access to create new pods should be restricted to the smallest possible group of users." - }, - { - "id": "CIS-5.1.4_rationale_statement", - "name": "rationale_statement", - "prose": "The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible." - }, - { - "id": "CIS-5.1.4_impact_statement", - "name": "impact_statement", - "prose": "Care should be taken not to remove access to pods to system components which require this for their operation" - }, - { - "id": "CIS-5.1.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "Where possible, remove `create` access to `pod` objects in the cluster." - }, - { - "id": "CIS-5.1.4_audit_procedure", - "name": "audit_procedure", - "prose": "Review the users who have create access to pod objects in the Kubernetes API." - }, - { - "id": "CIS-5.1.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Allowlist Authorized Scripts CONTROL:v8 2.7 DESCRIPTION:Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" - } - ] - }, - { - "id": "CIS-5.1.5", - "title": "Ensure that default service accounts are not actively used.", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1028" - } - ], - "links": [ - { - "href": "#7529501b-33d5-4e34-9865-699bb66c1d07", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.1.5_smt", - "name": "statement", - "prose": "The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed." - }, - { - "id": "CIS-5.1.5_rationale_statement", - "name": "rationale_statement", - "prose": "Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod.\n\nWhere access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.\n\nThe default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments." - }, - { - "id": "CIS-5.1.5_impact_statement", - "name": "impact_statement", - "prose": "All workloads which require access to the Kubernetes API will require an explicit service account to be created." - }, - { - "id": "CIS-5.1.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-5.1.5_audit_procedure", - "name": "audit_procedure", - "prose": "Every OpenShift project has its own service accounts. Every service account has an associated user name that can be granted roles, just like a regular user. The user name for each service account is derived from its project and the name of the service account. Service accounts are required in each project to run builds, deployments, and other pods. The default service accounts that are automatically created for each project are isolated by the project namespace." - }, - { - "id": "CIS-5.1.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Disable Dormant Accounts CONTROL:v8 5.3 DESCRIPTION:Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.;TITLE:Disable Dormant Accounts CONTROL:v7 16.9 DESCRIPTION:Automatically disable dormant accounts after a set period of inactivity.;" - } - ] - }, - { - "id": "CIS-5.1.6", - "title": "Ensure that Service Account Tokens are only mounted where necessary", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1528, T1555, M1026" - } - ], - "links": [ - { - "href": "#a27b3a4a-2bad-49d8-af3f-78a1df9ae814", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.1.6_smt", - "name": "statement", - "prose": "Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server" - }, - { - "id": "CIS-5.1.6_rationale_statement", - "name": "rationale_statement", - "prose": "Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.\n\nAvoiding mounting these tokens removes this attack avenue." - }, - { - "id": "CIS-5.1.6_impact_statement", - "name": "impact_statement", - "prose": "Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals." - }, - { - "id": "CIS-5.1.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it." - }, - { - "id": "CIS-5.1.6_audit_procedure", - "name": "audit_procedure", - "prose": "Review pod and service account objects in the cluster and ensure that the option below is set, unless the resource explicitly requires this access.\n\n```\nautomountServiceAccountToken: false\n```" - }, - { - "id": "CIS-5.1.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.;" - } - ] - } - ] - }, - { - "id": "CIS-5.2", - "title": "Pod Security Policies", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-5.2_smt", - "name": "statement", - "prose": "A Pod Security Policy (SCC) is a cluster-level resource that controls security settings for pods. PodSecurityPolicies are used in conjunction with the PodSecurityPolicy admission controller plugin.\n\nOpenShift uses the Security Context Constraint (SCC) admission controller plugin instead of PodSecurityPolicies. The SCC plugin cannot be disabled. The PSP plugin cannot be enabled. \n\nSimilar to the way that RBAC resources control user access, administrators can use Security Context Constraints (SCCs) to control permissions for pods. These permissions include actions that a pod, a collection of containers, can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with in order to be accepted into the system.\n\nBy default, OpenShift 4 is configured with multiple SCCs. You can query SCCs with the following command:\n\n```\noc get scc\n```" - } - ], - "controls": [ - { - "id": "CIS-5.2.1", - "title": "Minimize the admission of privileged containers", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0004, T1611, M1048" - } - ], - "links": [ - { - "href": "#343e2a40-49b5-4238-b2de-39c5a421c84b", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.1_smt", - "name": "statement", - "prose": "Do not generally permit containers to be run with the `securityContext.privileged` flag set to `true`." - }, - { - "id": "CIS-5.2.1_rationale_statement", - "name": "rationale_statement", - "prose": "Privileged containers have access to all Linux Kernel capabilities and devices. A container running with full privileges can do almost everything that the host can do. This flag exists to allow special use-cases, like manipulating the network stack and accessing devices.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit privileged containers.\n\nIf you need to run privileged containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.1_impact_statement", - "name": "impact_statement", - "prose": "Pods defined with `spec.containers[].securityContext.privileged: true` will not be permitted." - }, - { - "id": "CIS-5.2.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privileged` field is set to `false`." - }, - { - "id": "CIS-5.2.1_audit_procedure", - "name": "audit_procedure", - "prose": "The set of SCCs that admission uses to authorize a pod are determined by the user identity and groups that the user belongs to. Additionally, if the pod specifies a service account, the set of allowable SCCs includes any constraints accessible to the service account.\n\nAdmission uses the following approach to create the final security context for the pod:\n\n- Retrieve all SCCs available for use.\n- Generate field values for security context settings that were not specified on the request.\n- Validate the final settings against the available constraints.\n\nIf a matching set of constraints is found, then the pod is accepted. If the request cannot be matched to an SCC, the pod is rejected.\n\nA pod must validate every field against the SCC. \n\nGet the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether privileged is enabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Privileged\"; done\n```\n\nVerify that there is at least one SCC which does not have `Allow Privileged` set to `true`." - }, - { - "id": "CIS-5.2.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-5.2.2", - "title": "Minimize the admission of containers wishing to share the host process ID namespace", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, TA0004, T1078, T1078.002, M1026" - } - ], - "links": [ - { - "href": "#c6b36abb-ad36-4ca8-a53e-4d56cf82ef34", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.2_smt", - "name": "statement", - "prose": "Do not generally permit containers to be run with the `hostPID` flag set to true." - }, - { - "id": "CIS-5.2.2_rationale_statement", - "name": "rationale_statement", - "prose": "A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host PID namespace.\n\nIf you need to run containers which require hostPID, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.2_impact_statement", - "name": "impact_statement", - "prose": "Pods defined with `Allow Host PID: true` will not be permitted unless they are run under a specific SCC." - }, - { - "id": "CIS-5.2.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host PID` field is set to false." - }, - { - "id": "CIS-5.2.2_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether Allow Host PID is true:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host PID\"; done\n```\n\nVerify that there is at least one SCC which does not return true." - }, - { - "id": "CIS-5.2.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" - } - ] - }, - { - "id": "CIS-5.2.3", - "title": "Minimize the admission of containers wishing to share the host IPC namespace", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, TA0004, T1078, T1078.002, M1026" - } - ], - "links": [ - { - "href": "#2b29a9f1-2454-4959-ad8b-3bb2f0ed9c98", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.3_smt", - "name": "statement", - "prose": "Do not generally permit containers to be run with the `hostIPC` flag set to true." - }, - { - "id": "CIS-5.2.3_rationale_statement", - "name": "rationale_statement", - "prose": "A container running in the host's IPC namespace can use IPC to interact with processes outside the container.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host IPC namespace.\n\nIf you have a requirement to containers which require hostIPC, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.3_impact_statement", - "name": "impact_statement", - "prose": "Pods defined with `Allow Host IPC: true` will not be permitted unless they are run under a specific SCC." - }, - { - "id": "CIS-5.2.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host IPC` field is set to `false`." - }, - { - "id": "CIS-5.2.3_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `Allow Host IPC` is enabled:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host IPC\"; done\n```\n\nVerify that there is at least one SCC which does not return true." - }, - { - "id": "CIS-5.2.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.;" - } - ] - }, - { - "id": "CIS-5.2.4", - "title": "Minimize the admission of containers wishing to share the host network namespace", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0003, T1098, M1030" - } - ], - "links": [ - { - "href": "#3135b679-9654-4b06-ad69-c68486cd9029", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.4_smt", - "name": "statement", - "prose": "Do not generally permit containers to be run with the `hostNetwork` flag set to true." - }, - { - "id": "CIS-5.2.4_rationale_statement", - "name": "rationale_statement", - "prose": "A container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host network namespace.\n\nIf you have need to run containers which require hostNetwork, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.4_impact_statement", - "name": "impact_statement", - "prose": "Pods defined with `Allow Host Network: true` will not be permitted unless they are run under a specific SCC." - }, - { - "id": "CIS-5.2.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host Network` field is omitted or set to `false`." - }, - { - "id": "CIS-5.2.4_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `Allow Host Network` is enabled:\n\n```\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Host Network\"; done\n```\n\nVerify that there is at least one SCC which does not return true." - }, - { - "id": "CIS-5.2.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Segment the Network Based on Sensitivity CONTROL:v7 14.1 DESCRIPTION:Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).;" - } - ] - }, - { - "id": "CIS-5.2.5", - "title": "Minimize the admission of containers with allowPrivilegeEscalation", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0004, T1611, M1038, M1048" - } - ], - "links": [ - { - "href": "#2b50adfc-1a99-4408-bc25-65a9be712705", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.5_smt", - "name": "statement", - "prose": "Do not generally permit containers to be run with the `allowPrivilegeEscalation` flag set to `true`." - }, - { - "id": "CIS-5.2.5_rationale_statement", - "name": "rationale_statement", - "prose": "A container running with the `allowPrivilegeEscalation` flag set to `true` may have processes that can gain more privileges than their parent.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run.\n\nIf you have need to run containers which use setuid binaries or require privilege escalation, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.5_impact_statement", - "name": "impact_statement", - "prose": "Pods defined with `Allow Privilege Escalation: true` will not be permitted unless they are run under a specific SCC." - }, - { - "id": "CIS-5.2.5_remediation_procedure", - "name": "remediation_procedure", - "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privilege Escalation` field is set to `false`." - }, - { - "id": "CIS-5.2.5_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether privileged is enabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allow Privilege Escalation\"; done\n```\n\nVerify that there is at least one SCC which does not return true." - }, - { - "id": "CIS-5.2.5_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-5.2.6", - "title": "Minimize the admission of root containers", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0003, T1098, M1026" - } - ], - "links": [ - { - "href": "#02bd932b-86f2-40ea-b393-127c921dbb1b", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.6_smt", - "name": "statement", - "prose": "Do not generally permit containers to be run as the root user." - }, - { - "id": "CIS-5.2.6_rationale_statement", - "name": "rationale_statement", - "prose": "Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have an escalated likelihood of container breakout.\n\nIdeally, all containers should run as a defined non-UID 0 user.\n\nThere should be at least one Security Context Constraint (SCC) defined which does not permit root users in a container.\n\nIf you need to run root containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.6_impact_statement", - "name": "impact_statement", - "prose": "Pods with containers which run as the root user will not be permitted." - }, - { - "id": "CIS-5.2.6_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required. By default, OpenShift includes the non-root SCC with the the `Run As User Strategy` is set to either `MustRunAsNonRoot`. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs." - }, - { - "id": "CIS-5.2.6_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether running containers as root is enabled:\n\n```\n# needs verification\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Run As User Strategy\"; done\n\n#For SCCs with MustRunAs verify that the range of UIDs does not include 0\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"\\sUID\"; done\n```\n\nVerify that there is at least one SCC which returns `MustRunAsNonRoot` or one SCC which returns `MustRunAs` with the range of UIDs not including 0." - }, - { - "id": "CIS-5.2.6_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;" - } - ] - }, - { - "id": "CIS-5.2.7", - "title": "Minimize the admission of containers with the NET_RAW capability", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0004, T1068, M1050" - } - ], - "links": [ - { - "href": "#bc77b6a9-1889-46db-b22f-75a7dc0ead87", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.7_smt", - "name": "statement", - "prose": "Do not generally permit containers with the potentially dangerous NET_RAW capability." - }, - { - "id": "CIS-5.2.7_rationale_statement", - "name": "rationale_statement", - "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. By default this can include potentially dangerous capabilities. With Docker as the container runtime the NET_RAW capability is enabled which may be misused by malicious containers.\n\nIdeally, all containers should drop this capability.\n\nThere should be at least one Security Context Constraint (SCC) defined which prevents containers with the NET_RAW capability from launching.\n\nIf you need to run containers with this capability, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.7_impact_statement", - "name": "impact_statement", - "prose": "Pods with containers which run with the NET_RAW capability will not be permitted." - }, - { - "id": "CIS-5.2.7_remediation_procedure", - "name": "remediation_procedure", - "prose": "Create a SCC as described in the OpenShift documentation, ensuring that the `Required Drop Capabilities` is set to include either `NET_RAW` or `ALL`." - }, - { - "id": "CIS-5.2.7_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether `NET_RAW` is disabled:\n\n```\n# needs verification\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Required Drop Capabilities\"; done\n```\n\nVerify that there is at least one SCC which returns `NET_RAW` or `ALL`." - }, - { - "id": "CIS-5.2.7_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" - } - ] - }, - { - "id": "CIS-5.2.8", - "title": "Minimize the admission of containers with added capabilities", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0002, TA0003, T1204, M1047" - } - ], - "links": [ - { - "href": "#07a1f737-1346-490e-be2b-542bcb5153c3", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.8_smt", - "name": "statement", - "prose": "Do not generally permit containers with capabilities assigned beyond the default set." - }, - { - "id": "CIS-5.2.8_rationale_statement", - "name": "rationale_statement", - "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks.\n\nThere should be at least one Security Context Constraint (SCC) defined which prevents containers with capabilities beyond the default set from launching.\n\nIf you need to run containers with additional capabilities, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC." - }, - { - "id": "CIS-5.2.8_impact_statement", - "name": "impact_statement", - "prose": "Pods with containers which require capabilities outside the default set will not be permitted." - }, - { - "id": "CIS-5.2.8_remediation_procedure", - "name": "remediation_procedure", - "prose": "Ensure that `Allowed Capabilities` is set to an empty array for every SCC in the cluster except for the `privileged` SCC." - }, - { - "id": "CIS-5.2.8_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check the values for `Allowed Capabilities`:\n\n```\n\noc describe scc | grep “Default Add Capabilities”\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Allowed Capabilities\"; done\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Default Add Capabilities\"; done\n```\n\nMinimize the number of SCCs that have `Allowed Capabilities` set to anything other than an empty array.\n\nMinimize the number of SCCs that have `Default Add Capabilities` set to anything other than an empty array." - }, - { - "id": "CIS-5.2.8_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" - } - ] - }, - { - "id": "CIS-5.2.9", - "title": "Minimize the admission of containers with capabilities assigned", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0002, TA0003, T1204, M1045, M1047" - } - ], - "links": [ - { - "href": "#9abe2b7a-f6a4-4f9a-9e11-bcfe5036f2ac", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.2.9_smt", - "name": "statement", - "prose": "Do not generally permit containers with capabilities" - }, - { - "id": "CIS-5.2.9_rationale_statement", - "name": "rationale_statement", - "prose": "Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user.\n\nIn many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized." - }, - { - "id": "CIS-5.2.9_impact_statement", - "name": "impact_statement", - "prose": "Pods with containers which require capabilities to operate will not be permitted." - }, - { - "id": "CIS-5.2.9_remediation_procedure", - "name": "remediation_procedure", - "prose": "Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities." - }, - { - "id": "CIS-5.2.9_audit_procedure", - "name": "audit_procedure", - "prose": "Get the set of SCCs with the following command:\n\n```\noc get scc\n```\n\nFor each SCC, check whether capabilities have been forbidden:\n\n```\noc describe scc | grep “Required Drop Capabilities”\n\nfor i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{\"\\n\"}}{{end}}'`; do echo \"$i\"; oc describe scc $i | grep \"Required Drop Capabilities\"; done\n```" - }, - { - "id": "CIS-5.2.9_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" - } - ] - } - ] - }, - { - "id": "CIS-5.3", - "title": "Network Policies and CNI", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-5.3.1", - "title": "Ensure that the CNI in use supports Network Policies", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0007, T1046, M1030, M1042" - } - ], - "links": [ - { - "href": "#de4f7379-b991-4a36-986c-775f51d15ce7", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.3.1_smt", - "name": "statement", - "prose": "There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster." - }, - { - "id": "CIS-5.3.1_rationale_statement", - "name": "rationale_statement", - "prose": "Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies." - }, - { - "id": "CIS-5.3.1_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-5.3.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "None required." - }, - { - "id": "CIS-5.3.1_audit_procedure", - "name": "audit_procedure", - "prose": "Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies.\n\nOpenShift Container Platform uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between Pods across the OpenShift Container Platform cluster. This Pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS). The OpenShift SDN uses Network Policies. The OpenShift SDN CNI plug-in provides all Kubernetes v1 NetworkPolicy features except for egress policy types and IPBlock. However, OpenShift provides means to implement fine grained filtering of egress traffic. OpenShift provides several options for controlling the traffic leaving the cluster. These options are :\n\n- Egress firewall\n- Egress routers\n- Egress static IP" - }, - { - "id": "CIS-5.3.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.;" - } - ] - }, - { - "id": "CIS-5.3.2", - "title": "Ensure that all Namespaces have Network Policies defined", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0007, T1046, M1030, M1042" - } - ], - "links": [ - { - "href": "#3956167d-c231-4fdf-9b5d-8f4523d33d96", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.3.2_smt", - "name": "statement", - "prose": "Use network policies to isolate traffic in your cluster network." - }, - { - "id": "CIS-5.3.2_rationale_statement", - "name": "rationale_statement", - "prose": "Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints.\n\nOnce there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic" - }, - { - "id": "CIS-5.3.2_impact_statement", - "name": "impact_statement", - "prose": "Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic\"" - }, - { - "id": "CIS-5.3.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the documentation and create `NetworkPolicy` objects as you need them." - }, - { - "id": "CIS-5.3.2_audit_procedure", - "name": "audit_procedure", - "prose": "The OpenShift 4 CNI plugin uses network policies and by default all Pods in a project are accessible from other Pods and network endpoints. To isolate one or more Pods in a project, you create NetworkPolicy objects in that project to indicate the allowed incoming connections. Project administrators can create and delete NetworkPolicy objects within their own project. For more information see: \n\nRun the following command and review the `NetworkPolicy` objects created in the cluster.\n\n```\noc -n all get networkpolicy\n```\n\nEnsure that each namespace defined in the cluster has at least one Network Policy." - }, - { - "id": "CIS-5.3.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enable Firewall Filtering Between VLANs CONTROL:v7 14.2 DESCRIPTION:Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.;" - } - ] - } - ] - }, - { - "id": "CIS-5.4", - "title": "Secrets Management", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-5.4.1", - "title": "Prefer using secrets as files over secrets as environment variables", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1026" - } - ], - "links": [ - { - "href": "#8d22ae4e-39b2-4a2d-b875-f3f7c340b70a", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.4.1_smt", - "name": "statement", - "prose": "Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets." - }, - { - "id": "CIS-5.4.1_rationale_statement", - "name": "rationale_statement", - "prose": "It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs." - }, - { - "id": "CIS-5.4.1_impact_statement", - "name": "impact_statement", - "prose": "Application code which expects to read secrets in the form of environment variables would need modification" - }, - { - "id": "CIS-5.4.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables." - }, - { - "id": "CIS-5.4.1_audit_procedure", - "name": "audit_procedure", - "prose": "Information about ways to provide sensitive data to pods is included in the documentation. \n[Providing sensitive data to pods](https://docs.openshift.com/container-platform/4.5/nodes/pods/nodes-pods-secrets.html)\nRun the following command to find references to objects which use environment variables defined from secrets.\n\n```\noc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {\"\\n\"}{end}' -A\n```" - }, - { - "id": "CIS-5.4.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.;" - } - ] - }, - { - "id": "CIS-5.4.2", - "title": "Consider external secret storage", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0006, T1552, M1026" - } - ], - "parts": [ - { - "id": "CIS-5.4.2_smt", - "name": "statement", - "prose": "Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets." - }, - { - "id": "CIS-5.4.2_rationale_statement", - "name": "rationale_statement", - "prose": "Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments." - }, - { - "id": "CIS-5.4.2_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-5.4.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution." - }, - { - "id": "CIS-5.4.2_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift supports a broad ecosystem of security partners many of whom provide integration with enterprise secret vaults.\n\nReview your secrets management implementation." - }, - { - "id": "CIS-5.4.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;" - } - ] - } - ] - }, - { - "id": "CIS-5.5", - "title": "Extensible Admission Control", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "controls": [ - { - "id": "CIS-5.5.1", - "title": "Configure Image Provenance using image controller configuration parameters", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0001, TA0003, T1133, T1195, M1016, M1042" - } - ], - "links": [ - { - "href": "#3bbb424e-c219-459e-95e5-0ddc1060db7c", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.5.1_smt", - "name": "statement", - "prose": "Configure Image Provenance for your deployment." - }, - { - "id": "CIS-5.5.1_rationale_statement", - "name": "rationale_statement", - "prose": "Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster.\n\nYou can control which images can be imported, tagged, and run in a cluster using the image controller. For additional information on the image controller, see [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html)" - }, - { - "id": "CIS-5.5.1_impact_statement", - "name": "impact_statement", - "prose": "You need to regularly maintain your provenance configuration based on container image updates." - }, - { - "id": "CIS-5.5.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html" - }, - { - "id": "CIS-5.5.1_audit_procedure", - "name": "audit_procedure", - "prose": "Review the image controller parameters in your cluster and verify that image provenance is configured as appropriate." - }, - { - "id": "CIS-5.5.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Deploy System Configuration Management Tools CONTROL:v7 5.4 DESCRIPTION:Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.;" - } - ] - } - ] - }, - { - "id": "CIS-5.7", - "title": "General Policies", - "props": [ - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - } - ], - "parts": [ - { - "id": "CIS-5.7_smt", - "name": "statement", - "prose": "These policies relate to general cluster management topics, like namespace best practices and policies applied to pod objects in the cluster." - } - ], - "controls": [ - { - "id": "CIS-5.7.1", - "title": "Create administrative boundaries between resources using namespaces", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 1" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0002, TA0008, T1106, T1609, M1038" - } - ], - "links": [ - { - "href": "#85b3d0bd-5a26-4094-b401-20276530da42", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.7.1_smt", - "name": "statement", - "prose": "Use namespaces to isolate your Kubernetes objects." - }, - { - "id": "CIS-5.7.1_rationale_statement", - "name": "rationale_statement", - "prose": "Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called `default`. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users." - }, - { - "id": "CIS-5.7.1_impact_statement", - "name": "impact_statement", - "prose": "You need to switch between namespaces for administration." - }, - { - "id": "CIS-5.7.1_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the documentation and create namespaces for objects in your deployment as you need them." - }, - { - "id": "CIS-5.7.1_audit_procedure", - "name": "audit_procedure", - "prose": "OpenShift Projects wrap Kubernetes namespaces and are used by default in OpenShift 4. \n\nRun the following command and review the namespaces created in the cluster.\n\n```\noc get namespaces\n```\n\nEnsure that these namespaces are the ones you need and are adequately administered as per your requirements." - }, - { - "id": "CIS-5.7.1_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.;" - } - ] - }, - { - "id": "CIS-5.7.2", - "title": "Ensure that the seccomp profile is set to docker/default in your pod definitions", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0004, T1611, M1048" - } - ], - "links": [ - { - "href": "#58a34685-46ae-4842-8a99-f49445402b36", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.7.2_smt", - "name": "statement", - "prose": "Enable `default` seccomp profile in your pod definitions." - }, - { - "id": "CIS-5.7.2_rationale_statement", - "name": "rationale_statement", - "prose": "Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container." - }, - { - "id": "CIS-5.7.2_impact_statement", - "name": "impact_statement", - "prose": "If the `default` seccomp profile is too restrictive for you, you will need to create and manage your own seccomp profiles." - }, - { - "id": "CIS-5.7.2_remediation_procedure", - "name": "remediation_procedure", - "prose": "To enable the `default` seccomp profile, use the reserved value `/runtime/default` that will make sure that the pod uses the default policy available on the host." - }, - { - "id": "CIS-5.7.2_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift 4, CRI-O is the supported runtime. CRI-O runs unconfined by default in order to meet CRI conformance criteria. \n\nOn RHEL CoreOS, the default seccomp policy is associated with CRI-O and stored in `/etc/crio/seccomp.json`. The default profile is applied when the user asks for the runtime/default profile via annotation to the pod and when the associated SCC allows use of the specified seccomp profile. \n\nConfiguration of allowable seccomp profiles is managed through OpenShift Security Context Constraints." - }, - { - "id": "CIS-5.7.2_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;" - } - ] - }, - { - "id": "CIS-5.7.3", - "title": "Apply Security Context to Your Pods and Containers", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0004, TA0006, T1556, T1611, M1048" - } - ], - "links": [ - { - "href": "#5aa56099-0a8b-4495-8824-4ac8a6ddc6f6", - "rel": "reference" - } - ], - "parts": [ - { - "id": "CIS-5.7.3_smt", - "name": "statement", - "prose": "Apply Security Context to Your Pods and Containers" - }, - { - "id": "CIS-5.7.3_rationale_statement", - "name": "rationale_statement", - "prose": "A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context." - }, - { - "id": "CIS-5.7.3_impact_statement", - "name": "impact_statement", - "prose": "If you incorrectly apply security contexts, you may have trouble running the pods." - }, - { - "id": "CIS-5.7.3_remediation_procedure", - "name": "remediation_procedure", - "prose": "Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers." - }, - { - "id": "CIS-5.7.3_audit_procedure", - "name": "audit_procedure", - "prose": "Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate.\n\nOpenShift's Security Context Constraint feature is on by default in OpenShift 4 and applied to all pods deployed. SCC selection is determined by a combination of the values in the securityContext and the rolebindings for the account deploying the pod." - }, - { - "id": "CIS-5.7.3_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies CONTROL:v7 8.3 DESCRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.;" - } - ] - }, - { - "id": "CIS-5.7.4", - "title": "The default namespace should not be used", - "props": [ - { - "name": "profile", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Level 2" - }, - { - "name": "status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "draft" - }, - { - "name": "assessment_status", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "Manual" - }, - { - "name": "v7_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v7_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG1", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "False" - }, - { - "name": "v8_IG2", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "v8_IG3", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "True" - }, - { - "name": "MITRE_ATTaCK_Mappings", - "ns": "https://ibm.github.io/compliance-trestle/schemas/oscal/catalog/cis", - "value": "TA0005, T1578, M1018" - } - ], - "parts": [ - { - "id": "CIS-5.7.4_smt", - "name": "statement", - "prose": "Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult." - }, - { - "id": "CIS-5.7.4_rationale_statement", - "name": "rationale_statement", - "prose": "Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources." - }, - { - "id": "CIS-5.7.4_impact_statement", - "name": "impact_statement", - "prose": "None" - }, - { - "id": "CIS-5.7.4_remediation_procedure", - "name": "remediation_procedure", - "prose": "Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace." - }, - { - "id": "CIS-5.7.4_audit_procedure", - "name": "audit_procedure", - "prose": "In OpenShift, projects (namespaces) are used to group and isolate related objects. When a request is made to create a new project using the web console or oc new-project command, an endpoint in OpenShift Container Platform is used to provision the project according to a template, which can be customized. \n\nThe cluster administrator can allow and configure how developers and service accounts can create, or self-provision, their own projects. Regular users do not have access to the default project. \n\nProjects starting with openshift- and kube- host cluster components that run as Pods and other infrastructure components. As such, OpenShift does not allow you to create Projects starting with openshift- or kube- using the oc new-project command.\n\nFor more information, see \n[Working with projects](https://docs.openshift.com/container-platform/4.4/applications/projects/working-with-projects.html) and \n[Configuring project creation](https://docs.openshift.com/containerplatform/4.4/applications/projects/configuring-project-creation.html)\n\nRun this command to list objects in default namespace\n\n```\noc project default\noc get all \n```\n\nThe only entries there should be system managed resources such as the `kubernetes` and `openshift` service" - }, - { - "id": "CIS-5.7.4_CIS_Controls", - "name": "CIS_Controls", - "prose": "TITLE:Configure Trusted DNS Servers on Enterprise Assets CONTROL:v8 4.9 DESCRIPTION:Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. ;TITLE:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers CONTROL:v7 5 DESCRIPTION:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers;" - } - ] - } - ] - } - ] - } - ], - "back-matter": { - "resources": [ - { - "uuid": "4fa8c2d3-6b4c-428a-a0bb-5e25f4bed301", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "a17d309e-222a-44a5-b2df-e0239742208d", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "f7f556ab-234b-4a8a-a2ca-fec600e826de", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "005c3423-193e-4db8-9ea4-a4535d6615dd", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "17caf35a-2d76-4359-8ff9-dc3b12f2a874", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" - }, - { - "uuid": "ba265dc2-094e-48d5-a15a-8b982fb6d579", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" - }, - { - "uuid": "a66fe000-f5f1-4fe8-b67f-f2260dd22875", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" - }, - { - "uuid": "d14ae650-3329-416b-9a3b-bea168fe3742", - "description": "https://coreos.com/etcd:https://kubernetes.io/docs/admin/etcd/:https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane" - }, - { - "uuid": "5864249f-943b-4f1c-9a21-2a0a42e92dea", - "description": "https://docs.openshift.com/container-platform/4.3/networking/cluster-network-operator.html:https://kubernetes.io/docs/concepts/cluster-administration/networking/" - }, - { - "uuid": "b679d699-ad77-45c7-9ed4-454a836b1031", - "description": "https://docs.openshift.com/container-platform/4.3/networking/cluster-network-operator.html:https://kubernetes.io/docs/concepts/cluster-administration/networking/" - }, - { - "uuid": "1436e335-5bdc-4339-aa7e-ded1e56b015c", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://etcd.io/#data-dir:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" - }, - { - "uuid": "28d31254-ad8d-47c5-a102-594b3db49a4c", - "description": "https://docs.openshift.com/container-platform/4.3/architecture/control-plane.html#defining-masters_control-plane:https://etcd.io/#data-dir:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" - }, - { - "uuid": "5872a0ff-2aea-4191-a31b-d914bdc46ca5", - "description": "https://docs.openshift.com/container-platform/4.5/cli_reference/openshift_cli/administrator-cli-commands.html:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/" - }, - { - "uuid": "4213a185-9ecd-4449-bc5b-69e70d993a1e", - "description": "https://docs.openshift.com/container-platform/4.5/cli_reference/openshift_cli/administrator-cli-commands.html:https://kubernetes.io/docs/reference/setup-tools/kubeadm/" - }, - { - "uuid": "57aa304b-00fa-4232-9256-0fd8759f895b", - "description": "https://docs.openshift.com/container-platform/4.4/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/" - }, - { - "uuid": "b85602ea-e0f6-4269-b0cd-127ca71aad50", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-kube-scheduler-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.3/nodes/scheduling/nodes-scheduler-about.html:https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/" - }, - { - "uuid": "fe348e22-27d2-4571-b80d-8c70585a573b", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "7d91ba62-6f3b-4d8e-8fc0-ff364ee9698f", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "dae88d42-4bb1-40c1-922b-b85f28d0e6a5", - "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "815280f3-e7fc-476b-a501-d0634af3a099", - "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "12f8aefa-7fd0-459f-9adb-8728606d9264", - "description": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "b9d562c5-133b-4668-9fc7-4a7282729362", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests" - }, - { - "uuid": "c21de945-e1d8-46eb-a6f0-4b2d39647126", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/configuring-internal-oauth.html:https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-password-file" - }, - { - "uuid": "c8cac56e-c95a-492c-b4b4-96029b3d386d", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/configuring-internal-oauth.html:https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "211f6ba7-c1d1-4752-8760-fd0275037356", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L12-L13:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L94-L98:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/" - }, - { - "uuid": "02acf696-664a-4db1-806b-9e3bf6fefc09", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L12-L13:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L94-L98:https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/:https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/" - }, - { - "uuid": "962e3009-5d45-4476-aeca-aaefc49f6924", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/:https://kubernetes.io/docs/concepts/architecture/control-plane-node-communication/" - }, - { - "uuid": "251c9643-b352-41d2-9f01-2dfe57309378", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/admin/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/authorization/" - }, - { - "uuid": "bb7b5742-5b2c-430a-9b6a-4f1858595232", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/node/:https://github.com/kubernetes/kubernetes/pull/46076:https://acotten.com/post/kube17-security" - }, - { - "uuid": "1116a809-988c-4842-999b-ccef601d5394", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/bootkube/manifests/cluster-role-binding-kube-apiserver.yaml:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L17-L21:https://kubernetes.io/docs/reference/access-authn-authz/rbac/" - }, - { - "uuid": "1606121c-52d7-4151-a8c1-16ee0f008c11", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/concepts/cluster-administration/flow-control/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit:https://github.com/staebler/community/blob/9873b632f4d99b5d99c38c9b15fe2f8b93d0a746/contributors/design-proposals/admission_control_event_rate_limit.md" - }, - { - "uuid": "0528b166-2830-4e29-aa47-363dd53f4cfd", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwaysadmit" - }, - { - "uuid": "84035c9f-01d8-4568-8ae9-19adb99a17fe", - "description": "https://docs.openshift.com/container-platform/4.5/openshift_images/managing_images/image-pull-policy.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages" - }, - { - "uuid": "feffeefb-16ba-429b-b4ca-21388319d682", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#working-with-rbac" - }, - { - "uuid": "a6f2be73-fce4-478b-b7ff-771175f4ecde", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-and-creating-service-accounts.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount:https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" - }, - { - "uuid": "792c0621-103b-4a4e-8dee-856b89f1a52a", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle" - }, - { - "uuid": "6efeb241-5cbd-4dc4-b441-4db43b3a9de9", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" - }, - { - "uuid": "d4167fac-5246-48e7-8c49-3fe03e105295", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/origin/blob/release-4.5/vendor/k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane/manifests.go#L132" - }, - { - "uuid": "2a3c4201-8b18-42b0-8738-c147909ad9b7", - "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L104-L105:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "e4203371-598c-4b79-8842-5db913aa22fd", - "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L102-L103:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L103-L105:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L155-L157:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "50031704-586c-410e-98cf-10ef739d70ee", - "description": "https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L102-L103:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L103-L105:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "b8e9bdb5-bccc-4810-bb9d-00abed8280f3", - "description": "https://github.com/openshift/kubernetes-kubelet/blob/master/config/v1beta1/types.go#L259-L277:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L71-L84:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md" - }, - { - "uuid": "84a0a831-5582-455f-bba9-2678f9d2907b", - "description": "https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L22-L31:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" - }, - { - "uuid": "26f1f625-6f6b-4e4c-895b-e5e906fa60a5", - "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L41-L77:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" - }, - { - "uuid": "d60e7953-7bbb-4724-ba06-c8dc1342599d", - "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L165-168:https://github.com/openshift/cluster-authentication-operator/blob/master/bindata/oauth-apiserver/deploy.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/" - }, - { - "uuid": "e0e80c67-b72e-4901-b794-f94d21ad00d3", - "description": "https://access.redhat.com/solutions/4262201:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/:https://github.com/kubernetes/features/issues/22" - }, - { - "uuid": "54376cd1-fb80-4913-b697-e069b70228de", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/pull/51415" - }, - { - "uuid": "1873c344-2e9a-4725-ba6e-c70b243e52b3", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L145-L146:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/issues/24167:https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use" - }, - { - "uuid": "b634e77b-e951-46d1-a6f6-4afa24dc444b", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/kubernetes/issues/24167" - }, - { - "uuid": "18aa8ead-f2ab-4af5-a05c-eab73e5b4ac8", - "description": "https://docs.openshift.com/container-platform/4.4/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://etcd.io/" - }, - { - "uuid": "cb03103c-f6ae-42fd-abf3-e8c8513d3580", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#user-provided-certificates-for-the-api-server_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide" - }, - { - "uuid": "befe3b8f-c971-4274-9724-1df35e87491c", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#user-provided-certificates-for-the-api-server_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide" - }, - { - "uuid": "145df28f-05bb-489e-a5f2-120c097942d7", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://etcd.io/" - }, - { - "uuid": "d02d38ef-2e86-4dcf-a894-b44ddb562b12", - "description": "https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/:https://acotten.com/post/kube17-security:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/features/issues/92" - }, - { - "uuid": "9e782cd9-b388-4b72-ba8e-5ae74e2fc06f", - "description": "https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#etcd-cluster-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/:https://acotten.com/post/kube17-security:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/:https://github.com/kubernetes/features/issues/92:https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers" - }, - { - "uuid": "22b065f6-0a4a-4564-86a1-e6a050ebbcca", - "description": "https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress:https://docs.openshift.com/container-platform/4.5/rest_api/config_apis/apiserver-config-openshift-io-v1.html:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators:https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites" - }, - { - "uuid": "e3a167bb-1cbd-4137-b983-f58504c4e56a", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/kubernetes/issues/28484" - }, - { - "uuid": "66d532eb-5316-4b56-9a65-2cb7a0905f7e", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/manifests/00_openshift-kube-controller-manager-ns.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scalability/profiling.md" - }, - { - "uuid": "3505a93f-6a2a-47c9-b131-a82dff05e6bb", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/ds.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/sa.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/separate-sa-role.yaml:https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.5/bindata/v3.11.0/openshift-controller-manager/separate-sa-rolebinding.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/:https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml:https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#controller-roles" - }, - { - "uuid": "f9793b52-6b7b-4e7b-aae7-e19bbbc5fba4", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#service-ca-certificates_ocp-certificates:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "619a4bf8-1ef8-440e-8b2f-b8eae6ff3e56", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html:https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#service-ca-certificates_ocp-certificates:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/:https://github.com/kubernetes/kubernetes/issues/11000" - }, - { - "uuid": "6023ef46-fe27-4793-93b7-ce98ced8c51f", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml:https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml:https://github.com/kubernetes/kubernetes/blob/release-1.11/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval-controller:https://github.com/kubernetes/features/issues/267:https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "6ebf3416-fb70-4668-877f-7b32f2b95156", - "description": "https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators:https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators:https://github.com/openshift/cluster-kube-controller-manager-operator:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/" - }, - { - "uuid": "cbb79ba5-171a-4d74-b1c0-8320a2768d32", - "description": "https://github.com/openshift/cluster-kube-scheduler-operator:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/svc.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml#L32-L37:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/:https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md" - }, - { - "uuid": "2ff045aa-73f4-4a43-847e-2800c9103fc5", - "description": "https://github.com/openshift/cluster-kube-scheduler-operator:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/svc.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml:https://github.com/openshift/cluster-kube-scheduler-operator/blob/release-4.5/bindata/v4.1.0/kube-scheduler/pod.yaml#L32-L37:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/" - }, - { - "uuid": "2f934076-115e-4a0e-a143-32b8ef9b6ac9", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" - }, - { - "uuid": "04d99409-c5ca-4dca-b891-b54d04ea091c", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#client-cert-auth" - }, - { - "uuid": "99e79ffc-d5d4-4ad9-91c9-0115bfc0f6a2", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#auto-tls" - }, - { - "uuid": "c480cf85-174b-4355-b88d-00671113c7a1", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/" - }, - { - "uuid": "04062f96-b445-49e4-b38d-4951b110f77b", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/:https://etcd.io/#peer-client-cert-auth" - }, - { - "uuid": "634f886c-c6f9-4d79-98fe-a68ec9ce12db", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/:https://etcd.io/#peer-auto-tls:https://etcd.io/#peer-auto-tls" - }, - { - "uuid": "2363ce8b-2795-4ad8-b608-b705247cb6ab", - "description": "https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates:https://github.com/openshift/cluster-etcd-operator:https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167:https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167:https://etcd.io/" - }, - { - "uuid": "8ebb9358-103a-43af-b4c2-e186afa69e70", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html:https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html#authorization-overview_using-rbac:https://docs.openshift.com/container-platform/4.5/authentication/remove-kubeadmin.html" - }, - { - "uuid": "c2f5eee5-88b7-438f-9493-c5746ff68ce2", - "description": "https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html:https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/bindata/v4.1.0/config/defaultconfig.yaml#L17-L31:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/" - }, - { - "uuid": "86318b47-61fc-4f0e-ac04-fed8c9da28bd", - "description": "https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-audit-config.html:https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-pods-audit-log-basic_nodes-nodes-audit-log:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L47-L77:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L34-L78:https://github.com/k8scop/k8s-security-dashboard/blob/master/configs/kubernetes/adv-audit.yaml:https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#audit-policy:https://github.com/falcosecurity/falco/blob/master/examples/k8s_audit_config/audit-policy.yaml:https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L735" - }, - { - "uuid": "5523abbc-69be-44aa-b8f0-0d7765282334", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#44-joining-your-nodes:https://kubernetes.io/docs/reference/setup-tools/kubeadm/#kubelet-drop-in" - }, - { - "uuid": "5ee947fa-4977-45ef-9514-b79a9a6f8f3b", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#44-joining-your-nodes:https://kubernetes.io/docs/reference/setup-tools/kubeadm/#kubelet-drop-in" - }, - { - "uuid": "5c7d8368-40e9-4cca-9c90-c8a1505f9eb8", - "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/configuring-kube-proxy.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/" - }, - { - "uuid": "201ef3a5-b95c-4b95-9ca6-041cc45753f3", - "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift_sdn/configuring-kube-proxy.html:https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/" - }, - { - "uuid": "2679f20e-d437-4fbd-94d3-9300deb20362", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" - }, - { - "uuid": "efb94d9e-c91c-4b0b-8201-aa94f6c582b2", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" - }, - { - "uuid": "119a992c-26bc-44e0-819f-c53616338a13", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs" - }, - { - "uuid": "472cc874-97ff-4a4c-81bd-a3b565232455", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs" - }, - { - "uuid": "cec3a4bf-70ae-4eeb-b412-a52803f2e0d6", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" - }, - { - "uuid": "daac5ddf-fd89-4f90-acbe-3eaa4706cfb4", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/" - }, - { - "uuid": "edffbd8c-2ca8-456c-8ff8-759a7e369a87", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication" - }, - { - "uuid": "97c4e51f-69c2-48d6-8f3c-4820ce812ae7", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication" - }, - { - "uuid": "b0a79284-59f4-4b12-a7a4-b7fd73d32e36", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L28-L29:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/" - }, - { - "uuid": "aad9d053-7481-4ef1-a443-dc6fe0aa3909", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/docs/KubeletConfigDesign.md:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/config/defaultconfig.yaml#L28-L29:https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.6/bindata/v4.1.0/config/defaultconfig.yaml#L114-L115:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" - }, - { - "uuid": "25b0a20a-b36a-41b7-bd96-6fd4a7dfd325", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/pull/18552" - }, - { - "uuid": "fcb2eff5-95e4-4f94-b1c0-7fd3d06d829a", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L618-L626:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" - }, - { - "uuid": "576ebaa9-bb17-44ce-98cd-021442090ba2", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L618-L626:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/" - }, - { - "uuid": "df258d02-632c-46ba-b131-938998ac806f", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/issues/22063" - }, - { - "uuid": "1895214f-40e8-4615-b019-61940dfa98cd", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters_:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/kubeletconfig/v1beta1/types.go" - }, - { - "uuid": "f1854ab5-825d-4054-9a85-32e73db22296", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/:https://rootsquash.com/2016/05/10/securing-the-kubernetes-api/:https://github.com/kelseyhightower/docker-kubernetes-tls-guide:https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/" - }, - { - "uuid": "ca0ebe3e-495e-4753-80a1-a9b809fe8fd1", - "description": "https://docs.openshift.com/container-platform/4.5/architecture/control-plane.html#understanding-machine-config-operator_control-plane:https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L172-L181:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://github.com/kubernetes/kubernetes/pull/41912:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration:https://kubernetes.io/docs/imported/release/notes/:https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/" - }, - { - "uuid": "7fb3efc3-eb24-45a0-a08f-d321b903cd0d", - "description": "https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/master/01-master-kubelet/_base/files/kubelet.yaml:https://github.com/openshift/machine-config-operator/blob/release-4.5/templates/worker/01-worker-kubelet/_base/files/kubelet.yaml:https://github.com/kubernetes/kubernetes/pull/45059:https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration" - }, - { - "uuid": "bcc08c26-c8b2-4455-85b6-e329fcd34a19", - "description": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles" - }, - { - "uuid": "7529501b-33d5-4e34-9865-699bb66c1d07", - "description": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" - }, - { - "uuid": "a27b3a4a-2bad-49d8-af3f-78a1df9ae814", - "description": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/" - }, - { - "uuid": "343e2a40-49b5-4238-b2de-39c5a421c84b", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies" - }, - { - "uuid": "c6b36abb-ad36-4ca8-a53e-4d56cf82ef34", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" - }, - { - "uuid": "2b29a9f1-2454-4959-ad8b-3bb2f0ed9c98", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" - }, - { - "uuid": "3135b679-9654-4b06-ad69-c68486cd9029", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" - }, - { - "uuid": "2b50adfc-1a99-4408-bc25-65a9be712705", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" - }, - { - "uuid": "02bd932b-86f2-40ea-b393-127c921dbb1b", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/" - }, - { - "uuid": "bc77b6a9-1889-46db-b22f-75a7dc0ead87", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.trust/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" - }, - { - "uuid": "07a1f737-1346-490e-be2b-542bcb5153c3", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.com/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" - }, - { - "uuid": "9abe2b7a-f6a4-4f9a-9e11-bcfe5036f2ac", - "description": "https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html:https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies:https://www.nccgroup.com/uk/our-research/abusing-privileged-and-unprivileged-linux-containers/" - }, - { - "uuid": "de4f7379-b991-4a36-986c-775f51d15ce7", - "description": "https://docs.openshift.com/container-platform/4.5/networking/openshift-sdn/about-openshift-sdn.html:https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/" - }, - { - "uuid": "3956167d-c231-4fdf-9b5d-8f4523d33d96", - "description": "https://docs.openshift.com/container-platform/4.5/networking/network_policy/about-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/creating-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/multitenant-network-policy.html:https://docs.openshift.com/container-platform/4.5/networking/network_policy/default-network-policy.html:https://kubernetes.io/docs/concepts/services-networking/network-policies/:https://octetz.com/docs/2019/2019-04-22-netpol-api-k8s/:https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/" - }, - { - "uuid": "8d22ae4e-39b2-4a2d-b875-f3f7c340b70a", - "description": "https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets" - }, - { - "uuid": "3bbb424e-c219-459e-95e5-0ddc1060db7c", - "description": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook:https://github.com/kubernetes/community/blob/master/contributors/design-proposals/image-provenance.md:https://hub.docker.com/r/dnurmi/anchore-toolbox/:https://github.com/kubernetes/kubernetes/issues/22888" - }, - { - "uuid": "85b3d0bd-5a26-4094-b401-20276530da42", - "description": "https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/:https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/" - }, - { - "uuid": "58a34685-46ae-4842-8a99-f49445402b36", - "description": "https://docs.openshift.com/container-platform/4.2/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth:https://github.com/kubernetes/kubernetes/issues/39845:https://github.com/kubernetes/kubernetes/pull/21790:https://github.com/kubernetes/community/blob/master/contributors/design-proposals/seccomp.md#examples:https://docs.docker.com/engine/security/seccomp/" - }, - { - "uuid": "5aa56099-0a8b-4495-8824-4ac8a6ddc6f6", - "description": "https://kubernetes.io/docs/concepts/policy/security-context/:https://learn.cisecurity.org/benchmarks" - } - ] - } - } -} \ No newline at end of file diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.1.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.1.md deleted file mode 100644 index a70a695..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.1.md +++ /dev/null @@ -1,47 +0,0 @@ -# CIS-1.1.1 - \[Master Node Configuration Files\] Ensure that the API server pod specification file permissions are set to 600 or more restrictive - -## Control Statement - -Ensure that the API server pod specification file has permissions of `600` or more restrictive. - -## Control rationale_statement - -The API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable only by the administrators on the system. - -## Control impact_statement - -None - -## Control remediation_procedure - -execute command: - -``` -chmod 600 /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml -``` - -## Control audit_procedure - -OpenShift 4 deploys two API servers: the OpenShift API server and the Kube API server. The OpenShift API server delegates requests for Kubernetes objects to the Kube API server. - -The OpenShift API server is managed as a deployment. The pod specification yaml for openshift-apiserver is stored in etcd. - -The Kube API Server is managed as a static pod. The pod specification file for the kube-apiserver is created on the control plane nodes at /etc/kubernetes/manifests/kube-apiserver-pod.yaml. The kube-apiserver is mounted via hostpath to the kube-apiserver pods via /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml with permissions 0644. - -To verify pod specification file permissions for the kube-apiserver, run the following command. - -``` -#echo “check kube-apiserver pod specification file permissions” - -for i in $( oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o name ) -do - oc exec -n openshift-kube-apiserver $i -- \ - stat -c %a /etc/kubernetes/static-pod-resources/kube-apiserver-pod.yaml -done -``` - -Verify that the permissions are 600 or more restrictive. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.10.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.10.md deleted file mode 100644 index eaf0e72..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.10.md +++ /dev/null @@ -1,83 +0,0 @@ -# CIS-1.1.10 - \[Master Node Configuration Files\] Ensure that the Container Network Interface file ownership is set to root:root - -## Control Statement - -Ensure that the Container Network Interface files have ownership set to `root:root`. - -## Control rationale_statement - -Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be owned by `root:root`. - -## Control impact_statement - -None - -## Control remediation_procedure - -No remediation required; file permissions are managed by the operator. - -## Control audit_procedure - -The Cluster Network Operator (CNO) deploys and manages the cluster network components on an OpenShift Container Platform cluster. This includes the Container Network Interface (CNI) default network provider plug-in selected for the cluster during installation. OpenShift Container Platform uses the Multus CNI plug-in to allow chaining of CNI plug-ins. The default Pod network must be configured during cluster installation. By default, the CNO deploys the OpenShift SDN as the default Pod network. - -Ensure that the `multu` and `openshift-sdn` file ownership is set to root:root and the Open vSwitch (OVS) file ownership is set to `openvswitch:openvswitch`. - -The SDN components are deployed as DaemonSets across the master/worker nodes with controllers limited to control plane nodes. OpenShift deploys OVS as a network overlay by default. Various configurations (ConfigMaps and other files managed by the operator via `hostpath` but stored on the container hosts) are stored in the following locations: - -CNI: - -`/etc/cni/net.d` -`/host/var/run/multus/cni/net.d` - -SDN: - -`/var/lib/cni/networks/openshift-sdn ` -`/var/run/openshift-sdn` - -SDN OVS: - -`/var/run/openvswitch` -`/etc/openvswitch` -`/run/openvswitch` - -Run the following commands. - -``` - -# For CNI multus -for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%U:%G %n\" /host/etc/cni/net.d/*.conf"; done - -for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%U:%G %n\" /host/var/run/multus/cni/net.d/*.conf"; done - -# For SDN pods -for i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c \"%U:%G\" {} \;; done - -for i in $(oc get pods -n openshift-sdn -l app=sdn -oname); do oc exec -n openshift-sdn $i -- find /var/run/openshift-sdn -type f -exec stat -c %U:%G {} \;; done - -# For OVS pods in 4.5 -for i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /var/run/openvswitch -type f -exec stat -c %U:%G {} \;; done - -for i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /etc/openvswitch -type f -exec stat -c %U:%G {} \;; done - -for i in $(oc get pods -n openshift-sdn -l app=ovs -oname); do oc exec -n openshift-sdn $i -- find /run/openvswitch -type f -exec stat -c %U:%G {} \;; done - -# For OVS pods in 4.6 -TBD -``` - -Verify that the CNI and SDN file ownership is set to `root:root`. - -`/host/etc/cni/net.d/00-multus.conf = root:root` -`/host/var/run/multus/cni/net.d/80-openshift-network.conf = root:root` -`/var/lib/cni/networks/openshift-sdn = root:root` -`/var/run/openshift-sdn = root:root` - -Verify that the OVS file ownership is set to `openvswitch:openvswitch`. - -`/var/run/openvswitch = openvswitch:openvswitch` -`/etc/openvswitch = openvswitch:openvswitch` -`/run/openvswitch = openvswitch:openvswitch` - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.11.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.11.md deleted file mode 100644 index 6de91c4..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.11.md +++ /dev/null @@ -1,35 +0,0 @@ -# CIS-1.1.11 - \[Master Node Configuration Files\] Ensure that the etcd data directory permissions are set to 700 or more restrictive - -## Control Statement - -Ensure that the etcd data directory has permissions of `700` or more restrictive. - -## Control rationale_statement - -`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world. - -## Control impact_statement - -None - -## Control remediation_procedure - -No remediation required. File permissions are managed by the `etcd` operator. - -## Control audit_procedure - -In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The pod specification file is created on control plane nodes at `/etc/kubernetes/manifests/etcd-member.yaml`. The `etcd` database is stored on the container host in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The permissions for this directory on the container host is `700`. - -Starting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers. - -Run the following commands. - -``` -for i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %a%n /var/lib/etcd/member; done -``` - -Verify that the permissions are `700`. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.12.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.12.md deleted file mode 100644 index 4b123a1..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.12.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-1.1.12 - \[Master Node Configuration Files\] Ensure that the etcd data directory ownership is set to etcd:etcd - -## Control Statement - -Ensure that the `etcd` data directory ownership is set to `etcd:etcd`. - -## Control rationale_statement - -`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`. - -NOTE: The only users that exist on an RHCOS OpenShift node are root and core. This is intentional, as regular management of the underlying RHCOS cluster nodes is designed to be performed via the OpenShift API itself. The core user is a member of the wheel group, which gives it permission to use `sudo` for running privileged commands. Adding additional users at the node level is highly discouraged. - -## Control impact_statement - -None - -## Control remediation_procedure - -No remediation required; file ownership is managed by the operator. - -## Control audit_procedure - -In OpenShift 4, `etcd` members are deployed on the master nodes as static pods. The `etcd` database is stored on the master nodes in `/var/lib/etcd` and mounted to the `etcd-member` container via the host path mount data-dir with the same filesystem path (`/var/lib/etcd`). The ownership for this directory on the `etcd-member` container and on the container host is `root:root`. - -Starting with OCP 4.4, `etcd` is managed by the `cluster-etcd-operator`. The `etcd` operator will help to automate restoration of master nodes. There is also a new `etcdctl` container in the `etcd` static pod for quick debugging. cluster-admin rights are required to exec into `etcd` containers. - -Run the following command. - -``` -for i in $(oc get pods -n openshift-etcd -l app=etcd -oname); do oc exec -n openshift-etcd -c etcd $i -- stat -c %U:%G /var/lib/etcd/member; done -``` - -Verify that the ownership is set to `root:root`. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.13.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.13.md deleted file mode 100644 index 7816366..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.1/CIS-1.1.13.md +++ /dev/null @@ -1,44 +0,0 @@ -# CIS-1.1.13 - \[Master Node Configuration Files\] Ensure that the admin.conf file permissions are set to 600 or more restrictive - -## Control Statement - -Ensure that the `admin.conf` file has permissions of `600` or more restrictive. - -## Control rationale_statement - -The `admin.conf` is the administrator `kubeconfig` file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. - -## Control impact_statement - -None. - -## Control remediation_procedure - -Execute the command below: - -``` -chmod 600 /etc/kubernetes/kubeconfig/admin.config -``` - -## Control audit_procedure - -In OpenShift 4 the admin config file is stored in `/etc/kubernetes/kubeconfig` with permissions `644`. - -Run the following command. - -``` -for i in $(oc get nodes -o name) - do - echo $i - oc debug $i -- <.`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. - -Run the following command: - -``` -# TLS Cert File - openshift-kube-apiserver -oc get configmap config -n openshift-kube-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r .servingInfo.certFile - -# TLS Key File -oc get configmap config -n openshift-kube-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r .servingInfo.keyFile -``` - -Verify that the following files exist. - -`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.crt` -`/etc/kubernetes/static-pod-certs/secrets/service-network-serving-certkey/tls.key` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.31.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.31.md deleted file mode 100644 index 425c4c2..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.31.md +++ /dev/null @@ -1,47 +0,0 @@ -# CIS-1.2.31 - \[API Server\] Ensure that the --client-ca-file argument is set as appropriate - -## Control Statement - -Setup TLS connection on the API server. - -## Control rationale_statement - -API server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate. - -## Control impact_statement - -TLS and client certificate authentication must be configured for your Kubernetes cluster deployment. By default, OpenShift uses X.509 certificates to provide secure connections between the API server and node/kubelet. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform alerting framework has rules to help identify when a certificate issue is about to occur. These rules consist of the following checks: - -- API server client certificate expiration is less than five minutes. - -## Control remediation_procedure - -OpenShift automatically manages TLS authentication for the API server communication with the node/kublet. This is not configurable. - -You may optionally set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. - -``` -User-provided certificates must be provided in a kubernetes.io/tls type Secret in the openshift-config namespace. Update the API server cluster configuration, the apiserver/cluster resource, to enable the use of the user-provided certificate. -``` - -## Control audit_procedure - -OpenShift uses X.509 certificates to provide secure connections between API server and node/kubelet by default. OpenShift configures the `client-ca-file` value and does not use value assigned to the `client-ca-file` flag. OpenShift generates the necessary files and sets the arguments appropriately. - -The API server is accessible by clients external to the cluster at `api..`. The administrator must set a custom default certificate to be used by the API server when serving content in order to enable clients to access the API server at a different host name or without the need to distribute the cluster-managed certificate authority (CA) certificates to the clients. - -Run the following command: - -``` -oc get configmap config -n openshift-kube-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r .servingInfo.clientCA -``` - -Verify that the following file exists. - -`/etc/kubernetes/static-pod-certs/configmaps/client-ca/ca-bundle.crt` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.32.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.32.md deleted file mode 100644 index 68d1b4f..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.32.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-1.2.32 - \[API Server\] Ensure that the --etcd-cafile argument is set as appropriate - -## Control Statement - -`etcd` should be configured to make use of TLS encryption for client connections. - -## Control rationale_statement - -`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the `etcd` server using a SSL Certificate Authority file. - -## Control impact_statement - -TLS and client certificate authentication must be configured for `etcd`. - -## Control remediation_procedure - -None required. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. Communication with `etcd` is secured by the `etcd` serving CA. - -## Control audit_procedure - -OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift does not use values assigned to the `etcd-cafile` argument. OpenShift generates the `etcd-cafile` and sets the arguments appropriately in the API server. OpenShift includes multiple certificate authorities (CAs) providing independent chains of trust, increasing the security posture of the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. Communication with `etcd` is secured by the `etcd` serving CA. - -Run the following command - -``` -# etcd CA File -oc get configmap config -n openshift-kube-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r .storageConfig.ca - -# for ocp 4.6 replace jq -r .storageConfig.ca with - jq -r '.apiServerArguments["etcd-cafile"]' -``` - -Verify that the following is returned - -`/etc/kubernetes/static-pod-resources/configmaps/etcd-serving-ca/ca-bundle.crt` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.33.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.33.md deleted file mode 100644 index b94b064..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.33.md +++ /dev/null @@ -1,49 +0,0 @@ -# CIS-1.2.33 - \[API Server\] Ensure that the --encryption-provider-config argument is set as appropriate - -## Control Statement - -Encrypt `etcd` key-value store. - -## Control rationale_statement - -`etcd` is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures. - -## Control impact_statement - -When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: - -- Secrets -- ConfigMaps -- Routes -- OAuth access tokens -- OAuth authorize tokens - -When you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup. - -## Control remediation_procedure - -Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html) - -## Control audit_procedure - -OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. Keys are stored on the filesystem of the master and automatically rotated. - -Follow the steps in the documentation to encrypt the `etcd` datastore: Encrypting [etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html) - -Run the following command to review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully encrypted: - -``` -# encrypt the etcd datastore -oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' -``` - -The output shows `EncryptionCompleted` upon successful encryption. - -- `EncryptionCompleted` -- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io` - -If the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.34.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.34.md deleted file mode 100644 index 8bc923b..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.34.md +++ /dev/null @@ -1,47 +0,0 @@ -# CIS-1.2.34 - \[API Server\] Ensure that encryption providers are appropriately configured - -## Control Statement - -Where `etcd` encryption is used, appropriate providers should be configured. - -## Control rationale_statement - -Where `etcd` encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the `aescbc`, `kms` and `secretbox` are likely to be appropriate options. - -## Control impact_statement - -When you enable `etcd` encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: - -- Secrets -- ConfigMaps -- Routes -- OAuth access tokens -- OAuth authorize tokens - -When you enable `etcd` encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an `etcd` backup. - -## Control remediation_procedure - -Follow the OpenShift documentation for [Encrypting etcd data | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/security/encrypting-etcd.html) - -## Control audit_procedure - -OpenShift supports encryption of data at rest of `etcd` datastore, but it is up to the customer to configure. The `asecbc` cipher is used. No other ciphers are supported. Keys are stored on the filesystem of the master and automatically rotated. - -Run the following command to review the Encrypted status condition for the OpenShift API server to verify that its resources were successfully encrypted: - -``` -# encrypt the etcd datastore -oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' -``` - -The output shows EncryptionCompleted upon successful encryption. - -- `EncryptionCompleted` -- `All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io` - -If the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.35.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.35.md deleted file mode 100644 index 731ae00..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.35.md +++ /dev/null @@ -1,46 +0,0 @@ -# CIS-1.2.35 - \[API Server\] Ensure that the API Server only makes use of Strong Cryptographic Ciphers - -## Control Statement - -Ensure that the API server is configured to only use strong cryptographic ciphers. - -## Control rationale_statement - -TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided. - -## Control impact_statement - -API server clients that cannot support the custom cryptographic ciphers will not be able to make connections to the API server. - -## Control remediation_procedure - -Follow the directions above and in the OpenShift documentation Configuring Ingress. - -## Control audit_procedure - -Ciphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types: - -- Old -- Intermediate -- Modern -- Custom - -Only the Old, Intermediate and Custom profiles are supported at this time. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress and the API server. [Ingress controller configuration parameters](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress) - -Run the following commands to verify the cipher suite and `minTLSversion` for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and `Kube APIserver`. - -``` -# verify cipher suites -oc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\-0\-config\-system\-cliconfig}' | jq .servingInfo -oc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo -oc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo -oc describe --namespace=openshift-ingress-operator ingresscontroller/default -``` - -Verify that the `tlsSecurityProfile` is set to the value you chose. - -Note: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2. - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.4.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.4.md deleted file mode 100644 index bd99465..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.4.md +++ /dev/null @@ -1,50 +0,0 @@ -# CIS-1.2.4 - \[API Server\] Use https for kubelet connections - -## Control Statement - -Use https for kubelet connections. - -## Control rationale_statement - -Connections from `apiserver` to `kubelets` could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the `apiserver` and `kubelets`. - -## Control impact_statement - -You require TLS to be configured on `apiserver` as well as `kubelets`. - -## Control remediation_procedure - -No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable. - -## Control audit_procedure - -OpenShift does not use the `--kubelet-https` argument. OpenShift utilizes X.509 certificates for authentication of the control-plane components. OpenShift configures the API server to use an internal certificate authority (CA) to validate the user certificate sent during TLS negotiation. If the validation of the certificate is successful, the request is authenticated and user information is derived from the certificate subject fields. - -To verify the kubelet client certificates are present, run the following command: - -``` -#for 4.5 -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.kubeletClientInfo' - -#for 4.6 -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' - -#for both 4.5 and 4.6 -oc -n openshift-apiserver describe secret serving-cert -``` - -Verify that the kubelet client-certificate and kubelet client-key files are present. - -client-certificate: - -`/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt` - -client-key: - -`/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key` - -Verify that the serving-cert for the `openshift-apiserver` is type kubernetes.io/tls and that returned Data includes `tls.crt` and `tls.key`. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.5.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.5.md deleted file mode 100644 index 0fe8399..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.5.md +++ /dev/null @@ -1,50 +0,0 @@ -# CIS-1.2.5 - \[API Server\] Ensure that the kubelet uses certificates to authenticate - -## Control Statement - -Enable certificate based kubelet authentication. - -## Control rationale_statement - -The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests. - -## Control impact_statement - -Require TLS to be configured on the apiserver as well as kubelets. - -## Control remediation_procedure - -No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable. - -## Control audit_procedure - -OpenShift does not use the `--kubelet-client-certificate` or the `kubelet-client-ke`y arguments. OpenShift utilizes X.509 certificates for authentication of the control-plane components. OpenShift configures the API server to use an internal certificate authority (CA) to validate the user certificate sent during TLS negotiation. If the CA validation of the certificate is successful, the request is authenticated and user information is derived from the certificate subject fields. - -To verify the certificates are present, run the following command: - -``` -#for 4.5 -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.kubeletClientInfo' - -#for 4.6 -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' - -#for both 4.5 and 4.6 -oc -n openshift-apiserver describe secret serving-cert -``` - -Verify that the kubelet client-certificate and kubelet client-key files are present. - -client-certificate: - -`/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt` - -client-key: - -`/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key` - -Verify that the serving-cert for the `openshift-apiserver` is type `kubernetes.io/tls` and that returned Data includes `tls.crt` and `tls.key`. - -## Control CIS_Controls - -TITLE:Leverage Vetted Modules or Services for Application Security Components CONTROL:v8 16.11 DESCRIPTION:Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.6.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.6.md deleted file mode 100644 index cb3913f..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.6.md +++ /dev/null @@ -1,39 +0,0 @@ -# CIS-1.2.6 - \[API Server\] Verify that the kubelet certificate authority is set as appropriate - -## Control Statement - -Verify kubelet's certificate before establishing connection. - -## Control rationale_statement - -The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. - -## Control impact_statement - -You require TLS to be configured on apiserver as well as kubelets. - -## Control remediation_procedure - -No remediation is required. OpenShift platform components use X.509 certificates for authentication. OpenShift manages the CAs and certificates for platform components. This is not configurable. - -## Control audit_procedure - -OpenShift does not use the `--kubelet-certificate-authority` flag. OpenShift utilizes X.509 certificates for authentication of the control-plane components. OpenShift configures the API server to use an internal certificate authority (CA) to validate the user certificate sent during TLS negotiation. If the CA validation of the certificate is successful, the request is authenticated and user information is derived from the certificate subject fields. - -To verify, run the following command: - -``` -# for 4.5 -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.kubeletClientInfo' - -# for 4.6 -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' -``` - -Verify that the value for ca is the following. - -`"ca": "/etc/kubernetes/static-pod-resources/configmaps/kubelet-serving-ca/ca-bundle.crt"` - -## Control CIS_Controls - -TITLE:Leverage Vetted Modules or Services for Application Security Components CONTROL:v8 16.11 DESCRIPTION:Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.7.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.7.md deleted file mode 100644 index 64a1988..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.7.md +++ /dev/null @@ -1,42 +0,0 @@ -# CIS-1.2.7 - \[API Server\] Ensure that the --authorization-mode argument is not set to AlwaysAllow - -## Control Statement - -Do not always authorize all requests. - -## Control rationale_statement - -The API Server, can be configured to allow all requests. This mode should not be used on any production cluster. - -## Control impact_statement - -Only authorized requests will be served. - -## Control remediation_procedure - -None. RBAC is always on and the OpenShift API server does not use the values assigned to the flag authorization-mode. - -## Control audit_procedure - -It is not possible to configure an OpenShift cluster to allow all requests. OpenShift is configured at bootstrap time to use RBAC to authorize requests. Role-based access control (RBAC) objects determine what actions a user is allowed to perform on what objects in an OpenShift cluster. Cluster administrators manage RBAC for the cluster. Project owners can manage RBAC for their individual OpenShift projects. The OpenShift API server configmap does not use the `authorization-mode` flag. - -To verify, run the following commands: - -``` -# To verify that the authorization-mode argument is not used -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' -oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' - -#Check that no overrides are configured -oc get kubeapiservers.operator.openshift.io cluster -o json | jq -r '.spec.unsupportedConfigOverrides' - -# To verify RBAC is configured: -oc get clusterrolebinding -oc get clusterrole -oc get rolebinding -oc get role -``` - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.8.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.8.md deleted file mode 100644 index c964cd5..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.8.md +++ /dev/null @@ -1,47 +0,0 @@ -# CIS-1.2.8 - \[API Server\] Verify that the Node authorizer is enabled - -## Control Statement - -Restrict kubelet nodes to reading only objects associated with them. - -## Control rationale_statement - -The Node authorization mode only allows kubelets to read `Secret`, `ConfigMap`, `PersistentVolume`, and `PersistentVolumeClaim` objects associated with their nodes. - -## Control impact_statement - -None - -## Control remediation_procedure - -No remediation is required. - -## Control audit_procedure - -In OpenShift, the Node authorizer is enabled by default and is not configurable. In OpenShift 4.5 and earlier the OpenShift API server `configmap` does not use the `authorization-mode` flag. - -``` -# For OCP 4.5 and earlier verify that authorization-mode is not used -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' -oc get kubeapiservers.operator.openshift.io cluster -o json | jq '.spec.observedConfig.apiServerArguments' - -# For OCP 4.5 and earlier verify that authorization-mode is not used -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host cat /etc/kubernetes/kubelet.conf | grep authorization-mode - oc debug node/${node} -- chroot /host ps -aux | grep kubelet | grep authorization-mode -done - -#Check that no overrides are configured -oc get kubeapiservers.operator.openshift.io cluster -o json | jq -r '.spec.unsupportedConfigOverrides' -``` - -For OCP 4.5, verify that the `authorization-mode` argument is not present. - -For OCP 4.6 and above, verify that the `authorization-mode` argument includes `Node`. - -Verify the no overrides are configured. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.9.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.9.md deleted file mode 100644 index c02b564..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.2/CIS-1.2.9.md +++ /dev/null @@ -1,51 +0,0 @@ -# CIS-1.2.9 - \[API Server\] Verify that RBAC is enabled - -## Control Statement - -Turn on Role Based Access Control. - -## Control rationale_statement - -Role Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode. - -## Control impact_statement - -When RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access. - -## Control remediation_procedure - -None. It is not possible to disable RBAC. - -## Control audit_procedure - -OpenShift is configured at bootstrap time to use RBAC to authorize requests. Role-based access control (RBAC) objects determine what actions a user is allowed to perform on what objects in an OpenShift cluster. Cluster administrators manage RBAC for the cluster. Project owners can manage RBAC for their individual OpenShift projects. The OpenShift API server `configmap` does not use the `authorization-mode` flag. - -To verify, run the following commands: - -``` -# For 4.5 To verify that the authorization-mode argument is not used -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' -oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' - -#Check that no overrides are configured -oc get kubeapiservers.operator.openshift.io cluster -o json | jq -r '.spec.unsupportedConfigOverrides' - -# To verify RBAC is used -oc get clusterrolebinding -oc get clusterrole -oc get rolebinding -oc get role - -# For 4.6, verify that the authorization-mode argument includes RBAC -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments["authorization-mode"]' -``` - -For OCP 4.5, verify that the `authorization-mode` argument is not present. Verify the expected roles and role bindings are returned. - -For OCP 4.6 and above, verify that the `authorization-mode` argument includes RBAC. - -Verify the no overrides are configured. - -## Control CIS_Controls - -TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.1.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.1.md deleted file mode 100644 index 020393f..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.1.md +++ /dev/null @@ -1,61 +0,0 @@ -# CIS-1.3.1 - \[Controller Manager\] Ensure that garbage collection is configured as appropriate - -## Control Statement - -Activate garbage collector on pod termination, as appropriate. - -## Control rationale_statement - -Garbage collection is important to ensure sufficient resource availability and avoiding degraded performance and availability. In the worst case, the system might crash or just be unusable for a long period of time. The current setting for garbage collection is 12,500 terminated pods which might be too high for your system to sustain. Based on your system resources and tests, choose an appropriate threshold value to activate garbage collection. - -## Control impact_statement - -None - -## Control remediation_procedure - -To configure, follow the directions in [Configuring garbage collection for containers and images]( -https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring) - -## Control audit_procedure - -Two types of garbage collection are performed on an OpenShift Container Platform node: - -- Container garbage collection: Removes terminated containers. -- Image garbage collection: Removes images not referenced by any running pods. - -Container garbage collection can be performed using eviction thresholds. Image garbage collection relies on disk usage as reported by cAdvisor on the node to decide which images to remove from the node. Default values are found here https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L554-L604 - -The OpenShift administrator can configure how OpenShift Container Platform performs garbage collection by creating a `kubeletConfig` object for each Machine Config Pool using any combination of the following: - -- soft eviction for containers -- hard eviction for containers -- eviction for images - -To configure, follow the directions in - -https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring - -To verify settings, run the following command for each updated `configpool` - -``` -oc get machineconfigpool - -# For each machineconfigpool -oc describe machineconfigpool - -#For example -oc describe machineconfigpool master -oc describe machineconfigpool worker -``` - -Verify the values for the following are set as appropriate. - -`eviction-soft` -`evictionSoftGracePeriod` -`evictionHard` -`evictionPressureTransitionPeriod` - -## Control CIS_Controls - -TITLE:Enable Anti-Exploitation Features CONTROL:v8 10.5 DESCRIPTION:Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.;TITLE:Establish Secure Configurations CONTROL:v7 5.1 DESCRIPTION:Maintain documented, standard security configuration standards for all authorized operating systems and software.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.2.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.2.md deleted file mode 100644 index c79f0f2..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.2.md +++ /dev/null @@ -1,69 +0,0 @@ -# CIS-1.3.2 - \[Controller Manager\] Ensure that controller manager healthz endpoints are protected by RBAC - -## Control Statement - -Disable profiling, if not needed. - -## Control rationale_statement - -Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface. - -## Control impact_statement - -Profiling information would not be available. - -## Control remediation_procedure - -None required; profiling is protected by RBAC. - -## Control audit_procedure - -By default, the Controller Manager operator exposes metrics via the metrics service. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to cluster-admin or cluster-debugger role. - -Profiling can not be disabled. - -To verify the configuration, run the following command: - -Run the following command: - -``` -# Verify configuration for ports, livenessProbe, readinessProbe, healthz -oc -n openshift-kube-controller-manager get cm kube-controller-manager-pod -o json | jq -r '.data."pod.yaml"' | jq '.spec.containers' - -# Verify endpoints -oc -n openshift-kube-controller-manager describe endpoints - -# Test to validate RBAC enabled on the controller endpoint; check with non-admin role -oc project openshift-kube-controller-manager - -POD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}') - -PORT=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].spec.containers[0].ports[0].hostPort}') - -# Following should return 403 Forbidden -oc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -k - -# Create a service account to test RBAC -oc create -n openshift-kube-controller-manager sa permission-test-sa - -# Should return 403 Forbidden -SA_TOKEN=$(oc sa -n openshift-kube-controller-manager get-token permission-test-sa) -oc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H "Authorization: Bearer $SA_TOKEN" -k - -# Cleanup -oc delete -n openshift-kube-controller-manager sa permission-test-sa - -# As cluster admin, should succeed -CLUSTER_ADMIN_TOKEN=$(oc whoami -t) -oc rsh -n openshift-kube-controller-manager ${POD} curl https://localhost:${PORT}/metrics -H "Authorization: Bearer $CLUSTER_ADMIN_TOKEN" -k -``` - -Verify that the livenessProbe and readinessProbe are set to path: `healthz`. - -Verify that regular users cannot learn anything about the controller manager. - -Verify that users with the cluster_admin role can retrieve metrics from the endpoint. - -## Control CIS_Controls - -TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.3.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.3.md deleted file mode 100644 index eb86de4..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.3.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-1.3.3 - \[Controller Manager\] Ensure that the --use-service-account-credentials argument is set to true - -## Control Statement - -Use individual service account credentials for each controller. - -## Control rationale_statement - -The controller manager creates a service account per controller in the `kube-system` namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks. - -## Control impact_statement - -Whatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the `kube-system` namespace automatically with default roles and `rolebindings` that are auto-reconciled on startup. - -If using other authorization methods (ABAC, Webhook, etc), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles. - -## Control remediation_procedure - -The OpenShift Controller Manager operator manages and updates the OpenShift Controller Manager. The Kubernetes Controller Manager operator manages and updates the [Kubernetes Controller Manager](https://github.com/kubernetes/kubernetes) deployed on top of [OpenShift](https://openshift.io/). This operator is configured via [KubeControllerManager](https://github.com/openshift/api/blob/master/operator/v1/types_kubecontrollermanager.go) custom resource. - -## Control audit_procedure - -In OpenShift, `--use-service-account-credentials` is set to `true` by default for the Controller Manager. The bootstrap configuration and overrides are available here: - -[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml) - -[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml) - -Run the following command on the master node: - -``` -oc get configmaps config -n openshift-kube-controller-manager -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r '.extendedArguments["use-service-account-credentials"][]' -``` - -Verify that the `--use-service-account-credentials` argument is set to `true`. - -## Control CIS_Controls - -TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.4.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.4.md deleted file mode 100644 index a40b930..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.4.md +++ /dev/null @@ -1,43 +0,0 @@ -# CIS-1.3.4 - \[Controller Manager\] Ensure that the --service-account-private-key-file argument is set as appropriate - -## Control Statement - -Explicitly set a service account private key file for service accounts on the controller manager. - -## Control rationale_statement - -To ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate. - -## Control impact_statement - -You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy. - -## Control remediation_procedure - -None required. OpenShift manages the service account credentials for the scheduler automatically. - -## Control audit_procedure - -OpenShift starts the Kubernetes Controller Manager with service-account-private-key-file set to `/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key`. - -The bootstrap configuration and overrides are available here: - -[kube-controller-manager-pod](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml) - -[bootstrap-config-overrides](https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/config/bootstrap-config-overrides.yaml) - -Run the following command: - -``` -oc get configmaps config -n openshift-kube-controller-manager -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r '.extendedArguments["service-account-private-key-file"][]' -``` - -Verify that the following is returned - -`/etc/kubernetes/static-pod-resources/secrets/service-account-private-key/service-account.key` - -## Control CIS_Controls - -TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.5.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.5.md deleted file mode 100644 index 1f77c39..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.5.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-1.3.5 - \[Controller Manager\] Ensure that the --root-ca-file argument is set as appropriate - -## Control Statement - -Allow pods to verify the API server's serving certificate before establishing connections. - -## Control rationale_statement - -Processes running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. - -Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server. - -## Control impact_statement - -OpenShift clusters manage and maintain certificate authorities and certificates for cluster components. - -## Control remediation_procedure - -None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform. - -## Control audit_procedure - -Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform. - -Run the following command: - -``` -oc get configmaps config -n openshift-kube-controller-manager -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq -r '.extendedArguments["root-ca-file"][]' -``` - -Verify that the `--root-ca-file` argument exists and is set to `/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt`. - -## Control CIS_Controls - -TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.6.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.6.md deleted file mode 100644 index 4e56f73..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.6.md +++ /dev/null @@ -1,35 +0,0 @@ -# CIS-1.3.6 - \[Controller Manager\] Ensure that the RotateKubeletServerCertificate argument is set to true - -## Control Statement - -Enable kubelet server certificate rotation on controller-manager. - -## Control rationale_statement - -`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. - -Note: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. Certificates for OpenShift platform components are automatically created and rotated by the OpenShift Container Platform. - -## Control audit_procedure - -Certificates for the kubelet are automatically created and rotated by the OpenShift Container Platform. The kubelet is installed automatically on every RHCOS node. The OpenShift `kubelet-serving-CA` manages certificates for the kubelet. Kubelet certificates are automatically issued and rotated. - -Run the following command: - -``` -oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq -r '.extendedArguments["feature-gates"][]' -``` - -Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`. - -## Control CIS_Controls - -TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.7.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.7.md deleted file mode 100644 index 8ed86b6..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.3/CIS-1.3.7.md +++ /dev/null @@ -1,42 +0,0 @@ -# CIS-1.3.7 - \[Controller Manager\] Ensure that the --bind-address argument is set to 127.0.0.1 - -## Control Statement - -Do not bind the Controller Manager service to non-loopback insecure addresses. - -## Control rationale_statement - -The Controller Manager API service which runs on port 10257/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. The OpenShift operators configure this correctly. - -## Control audit_procedure - -The `bind-address` argument is not used. The `secure-port` argument is set to `10257`. The `insecure-port` argument is set to `0`. - -Run the following command: - -``` -oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq '.extendedArguments["secure-port"][]' - -oc get configmaps config -n openshift-kube-controller-manager -ojson | jq -r '.data["config.yaml"]' | jq '.extendedArguments["port"][]' - -#Following should fail with a http code 403 -POD=$(oc get pods -n openshift-kube-controller-manager -l app=kube-controller-manager -o jsonpath='{.items[0].metadata.name}') - -oc rsh -n openshift-kube-controller-manager -c kube-controller-manager $POD curl https://localhost:10257/metrics -k -``` - -Verify that `secure-port` is set to `10257` and that `port` is set to `0`. - -Verify that attempt to access the controller manager metrics fails with a HTTP code 403. - -## Control CIS_Controls - -TITLE:Use of Secure Network Management and Communication Protocols  CONTROL:v8 12.6 DESCRIPTION:Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.1.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.1.md deleted file mode 100644 index 2cdef3c..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.1.md +++ /dev/null @@ -1,75 +0,0 @@ -# CIS-1.4.1 - \[Scheduler\] Ensure that the healthz endpoints for the scheduler are protected by RBAC - -## Control Statement - -Disable profiling, if not needed. - -## Control rationale_statement - -Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface. - -## Control impact_statement - -Profiling information would not be available. - -## Control remediation_procedure - -A fix to this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488 - -None required. Profiling is protected by RBAC and cannot be disabled. - -## Control audit_procedure - -In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1` - -To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. - -To verify the configuration, run the following command: - -Run the following command: - -``` -# check configuration for ports, livenessProbe, readinessProbe, healthz - -oc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data."pod.yaml"' | jq '.spec.containers' - -# Test to verify endpoints - -oc -n openshift-kube-scheduler describe endpoints - -Test to validate RBAC enabled on the scheduler endpoint; check with non-admin role - -oc project openshift-kube-scheduler - -POD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}') - -PORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}') - -# Should return 403 Forbidden -oc rsh ${POD} curl http://localhost:${PORT}/metrics -k - -# Create a service account to test RBAC -oc create sa permission-test-sa - -# Should return 403 Forbidden -SA_TOKEN=$(oc sa get-token permission-test-sa) - -oc rsh ${POD} curl http://localhost:${PORT}/metrics -H "Authorization: Bearer $SA_TOKEN" -k - -# Cleanup -oc delete sa permission-test-sa - -# As cluster admin, should succeed -CLUSTER_ADMIN_TOKEN=$(oc whoami -t) -oc rsh ${POD} curl http://localhost:${PORT}/metrics -H "Authorization: Bearer $CLUSTER_ADMIN_TOKEN" -k -``` - -Verify that the livenessProbe and readinessProbe are set to path: `healthz`. - -Verify that only users with the `cluster_admi`n role can retrieve metrics from the endpoint. - -Verify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488 - -## Control CIS_Controls - -TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.2.md b/md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.2.md deleted file mode 100644 index dd9428a..0000000 --- a/md_catalogs/ocp4-cis/CIS-1/CIS-1.4/CIS-1.4.2.md +++ /dev/null @@ -1,76 +0,0 @@ -# CIS-1.4.2 - \[Scheduler\] Verify that the scheduler API service is protected by authentication and authorization - -## Control Statement - -Do not bind the scheduler service to non-loopback insecure addresses. - -## Control rationale_statement - -The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface - -## Control impact_statement - -None - -## Control remediation_procedure - -By default, the `--bind-address` argument is not present, the readinessProbe and `livenessProbe` arguments are set to `10251` and the `port` argument is set to `0`. - -Check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488 - -## Control audit_procedure - -In OpenShift 4, The Kubernetes Scheduler operator manages and updates the Kubernetes Scheduler deployed on top of OpenShift. By default, the operator exposes metrics via metrics service. The metrics are collected from the Kubernetes Scheduler operator. Profiling data is sent to `healthzPort`, the port of the localhost `healthz` endpoint. Changing this value may disrupt components that monitor the kubelet health. The default `healthz` `port` value is `10251`, and the `healthz` `bindAddress` is `127.0.0.1` - -To ensure the collected data is not exploited, profiling endpoints are secured via RBAC (see cluster-debugger role). By default, the profiling endpoints are accessible only by users bound to `cluster-admin` or `cluster-debugger` role. Profiling can not be disabled. - -The bind-address argument is not used. Both authentication and authorization are in place. - -https://github.com/openshift/cluster-kube-scheduler-operator - -Run the following command: - -``` -# to verify endpoints - -oc -n openshift-kube-scheduler describe endpoints - -# To verify that bind-adress is not used in the configuration and that port is set to 0 -oc -n openshift-kube-scheduler get cm kube-scheduler-pod -o json | jq -r '.data."pod.yaml"' | jq '.spec.containers' - -# To test for RBAC: -oc project openshift-kube-scheduler - -POD=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].metadata.name}') - -POD_IP=$(oc get pods -l app=openshift-kube-scheduler -o jsonpath='{.items[0].status.podIP}') - -PORT=$(oc get pod $POD -o jsonpath='{.spec.containers[0].livenessProbe.httpGet.port}') - -# Should return a 403 -oc rsh ${POD} curl http://${POD_IP}:${PORT}/metrics - -# Create a service account to test RBAC -oc create sa permission-test-sa - -# Should return 403 Forbidden -SA_TOKEN=$(oc sa get-token permission-test-sa) -oc rsh ${POD} curl http://localhost:${PORT}/metrics -H "Authorization: Bearer $SA_TOKEN" -k - -# Cleanup -oc delete sa permission-test-sa - -# As cluster admin, should succeed -CLUSTER_ADMIN_TOKEN=$(oc whoami -t) -oc rsh ${POD} curl http://localhost:${PORT}/metrics -H "Authorization: Bearer $CLUSTER_ADMIN_TOKEN" -k -``` - -Verify that the --bind-address argument is not present and that `healthz` is bound to `port` `10251`. - -Verify that only users with the cluster_admin role can retrieve metrics from the endpoint. - -Verify that a regular user cannot get information about the scheduler. NOTE: If this check fails, please check the status of this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1889488 - -## Control CIS_Controls - -TITLE:Maintain and Enforce Network-Based URL Filters CONTROL:v8 9.3 DESCRIPTION:Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.1.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.1.md deleted file mode 100644 index 482d20a..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.1.md +++ /dev/null @@ -1,55 +0,0 @@ -# CIS-2.1 - \[etcd\] Ensure that the --cert-file and --key-file arguments are set as appropriate - -## Control Statement - -Configure TLS encryption for the `etcd` service. - -## Control rationale_statement - -`etcd` is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit. - -## Control impact_statement - -Client connections only over TLS would be served. - -## Control remediation_procedure - -OpenShift does not use the `etcd-certfile` or `etcd-keyfil`e flags. Certificates for `etcd` are managed by the `etcd` cluster operator. - -## Control audit_procedure - -OpenShift uses X.509 certificates to provide secure communication to `etcd`. OpenShift generates these files and sets the arguments appropriately. OpenShift does not use the `etcd-certfile` or `etcd-keyfile` flags. - -Keys and certificates for control plane components like `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` are stored with their respective static pod configurations in the directory `/etc/kubernetes/static-pod-resources/*/secrets`. - -Run the following command: - -``` - -# For --cert-file -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/' -done - -# For --key-file -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/' -done -``` - -Verify that cert-file and key-file values are returned for each etcd member. -`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.crt` -`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-${ETCD_DNS_NAME}.key` - -For example: - -`--cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.crt` -`--key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-serving/etcd-serving-ip-10-0-165-75.us-east-2.compute.internal.key` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.2.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.2.md deleted file mode 100644 index c4cd5f1..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.2.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-2.2 - \[etcd\] Ensure that the --client-cert-auth argument is set to true - -## Control Statement - -Enable client authentication on etcd service. - -## Control rationale_statement - -etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service. - -## Control impact_statement - -All clients attempting to access the etcd server will require a valid client certificate. - -## Control remediation_procedure - -This setting is managed by the cluster etcd operator. No remediation required. - -## Control audit_procedure - -OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift installation generates these files and sets the arguments appropriately. The following certificates are generated and used by etcd and other processes that communicate with etcd: - -- Client certificates: Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (`etcd-client`, `etcd-metric-client`, `etcd-metric-signer`, and `etcd-signer`) are added to the `openshift-config`, `openshift-monitoring`, and `openshift-kube-apiserver` namespaces. -- Server certificates: Used by the etcd server for authenticating client requests. - -Run the following command on the etcd server node: - -``` - -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/' -done -``` - -Verify that the `--client-cert-auth` argument is set to `true` for each etcd member. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.3.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.3.md deleted file mode 100644 index 67f2226..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.3.md +++ /dev/null @@ -1,48 +0,0 @@ -# CIS-2.3 - \[etcd\] Ensure that the --auto-tls argument is not set to true - -## Control Statement - -Do not use self-signed certificates for TLS. - -## Control rationale_statement - -etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service. - -## Control impact_statement - -Clients will not be able to use self-signed certificates for TLS. - -## Control remediation_procedure - -This setting is managed by the cluster etcd operator. No remediation required. - -## Control audit_procedure - -OpenShift configures etcd with secure communication. Openshift installs etcd as static pods on control plane nodes, and mounts the configuration files from /etc/etcd/ on the host. The `etcd.conf` file includes `auto-tls` configurations as referenced in `/etc/etcd/etcd.conf`. - -OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. - -These internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. - -- Each cluster CA can only issue certificates for its own purpose within its own cluster. -- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference. -- Cluster CAs cannot be influenced by an external CA that the cluster does not control. - -Run the following command: - -``` - -# Returns 0 if found, 1 if not found -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; \ - echo $? -done -``` - -Verify that 1 is returned for each etcd member. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.4.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.4.md deleted file mode 100644 index 388f1d4..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.4.md +++ /dev/null @@ -1,54 +0,0 @@ -# CIS-2.4 - \[etcd\] Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate - -## Control Statement - -etcd should be configured to make use of TLS encryption for peer connections. - -## Control rationale_statement - -etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters. - -## Control impact_statement - -etcd cluster peers are set up TLS for their communication. - -## Control remediation_procedure - -None. This configuration is managed by the etcd operator. - -## Control audit_procedure - -OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members. - -Openshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-cert-file` and `peer-key-file` configurations as referenced in `/etc/etcd/etcd.conf`. - -Run the following command: - -``` - -# For --peer-cert-file -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/' -done - -# For --peer-key-file -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/' -done -``` - -Verify that the following is returned for each etcd member. -`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.crt` -`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-${ETCD_DNS_NAME}.key` - -For example -`--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.crt` -`--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-ip-10-0-158-52.us-east-2.compute.internal.key` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.5.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.5.md deleted file mode 100644 index 1f965de..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.5.md +++ /dev/null @@ -1,40 +0,0 @@ -# CIS-2.5 - \[etcd\] Ensure that the --peer-client-cert-auth argument is set to true - -## Control Statement - -etcd should be configured for peer authentication. - -## Control rationale_statement - -etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. - -## Control impact_statement - -All peers attempting to communicate with the etcd server require a valid client certificate for authentication. - -## Control remediation_procedure - -This setting is managed by the cluster etcd operator. No remediation required. - -## Control audit_procedure - -OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift generates these files and sets the arguments appropriately. etcd certificates are used for encrypted communication between etcd member peers, as well as encrypted client traffic. Peer certificates are generated and used for communication between etcd members. - -Openshift installs etcd as static pods on control plane nodes, and mounts the configuration files from `/etc/etcd/` on the host. The `etcd.conf` file includes `peer-client-cert-auth` configurations as referenced in `/etc/etcd/etcd.conf`. - -Run the following command: - -``` - -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/' -done -``` - -Verify that the `--peer-client-cert-auth` argument is set to `true` for each etcd member. - -## Control CIS_Controls - -TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.6.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.6.md deleted file mode 100644 index 5da2e3e..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.6.md +++ /dev/null @@ -1,47 +0,0 @@ -# CIS-2.6 - \[etcd\] Ensure that the --peer-auto-tls argument is not set to true - -## Control Statement - -Do not use automatically generated self-signed certificates for TLS connections between peers. - -## Control rationale_statement - -etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication. - -## Control impact_statement - -All peers attempting to communicate with the etcd server require a valid client certificate for authentication. - -## Control remediation_procedure - -This setting is managed by the cluster etcd operator. No remediation required. - -## Control audit_procedure - -OpenShift does not use the `--peer-auto-tls` argument. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. - -These internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that - -- Each cluster CA can only issue certificates for its own purpose within its own cluster. -- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference. - -Cluster CAs cannot be influenced by an external CA that the cluster does not control. - -Run the following command: - -``` - -# Returns 0 if found, 1 if not found -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; \ - echo $? -done -``` - -Verify that 1 is returned for each etcd member. - -## Control CIS_Controls - -TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Use Unique Passwords CONTROL:v7 4.4 DESCRIPTION:Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.; diff --git a/md_catalogs/ocp4-cis/CIS-2/CIS-2.7.md b/md_catalogs/ocp4-cis/CIS-2/CIS-2.7.md deleted file mode 100644 index 7485881..0000000 --- a/md_catalogs/ocp4-cis/CIS-2/CIS-2.7.md +++ /dev/null @@ -1,53 +0,0 @@ -# CIS-2.7 - \[etcd\] Ensure that a unique Certificate Authority is used for etcd - -## Control Statement - -Use a different certificate authority for etcd from the one used for Kubernetes. - -## Control rationale_statement - -etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. Its access should be restricted to specifically designated clients and peers only. - -Authentication to etcd is based on whether the certificate presented was issued by a trusted certificate authority. There is no checking of certificate attributes such as common name or subject alternative name. As such, if any attackers were able to gain access to any certificate issued by the trusted certificate authority, they would be able to gain full access to the etcd database. - -## Control impact_statement - -Additional management of the certificates and keys for the dedicated certificate authority will be required. - -## Control remediation_procedure - -None required. Certificates for etcd are managed by the OpenShift cluster etcd operator. - -## Control audit_procedure - -OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. OpenShift uses a separate CA for etcd. - -These internal self-signing CAs enable automation because the key is known to the cluster. The certificates generated by each CA are used to identify a particular OpenShift platform component to another OpenShift platform component. The OpenShift CAs are managed by the cluster and are only used within the cluster. This means that - -- Each cluster CA can only issue certificates for its own purpose within its own cluster. -- CAs for one OpenShift cluster cannot influence CAs for a different OpenShift cluster, thus avoiding cross-cluster interference. - -Cluster CAs cannot be influenced by an external CA that the cluster does not control. - -Run the following command: - -``` - -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/' -done - -for i in $(oc get pods -oname -n openshift-etcd) -do - oc exec -n openshift-etcd -c etcd $i -- \ - ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/' -done -``` - -Verify that `--trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt` and `--peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt` are returned for each member. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.; diff --git a/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md b/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md deleted file mode 100644 index 9f7107a..0000000 --- a/md_catalogs/ocp4-cis/CIS-3/CIS-3.1/CIS-3.1.1.md +++ /dev/null @@ -1,55 +0,0 @@ -# CIS-3.1.1 - \[Authentication and Authorization\] Client certificate authentication should not be used for users - -## Control Statement - -Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. - -It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication. - -## Control rationale_statement - -With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation. - -## Control impact_statement - -External mechanisms for authentication generally require additional software to be deployed. - -## Control remediation_procedure - -Configure an identity provider for the OpenShift cluster. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html). Once an identity provider has been defined, you can use RBAC to define and apply permissions. After you define an identity provider and create a new `cluster-admin` user, remove the `kubeadmin` user to improve cluster security. - -## Control audit_procedure - -For users to interact with OpenShift Container Platform, they must first authenticate to the cluster. The authentication layer identifies the user with requests to the OpenShift Container Platform API. The authorization layer then uses information about the requesting user to determine if the request is allowed. [Understanding authentication | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html) - -The OpenShift Container Platform includes a built-in OAuth server for token-based authentication. Developers and administrators obtain OAuth access tokens to authenticate themselves to the API. It is recommended for an administrator to configure OAuth to specify an identity provider after the cluster is installed. User access to the cluster is managed through the identity provider. [Understanding identity provider configuration | Authentication | OpenShift Container Platform 4.5](https://docs.openshift.com/container-platform/4.5/authentication/understanding-identity-provider.html) - -Run the following commands: - -``` - -# To verify user authentication is enabled -oc describe authentication - -# To verify that an identity provider is configured -oc get identity - -# To verify that a custom cluster-admin user exists -oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User - -# To verity that kbueadmin is removed, no results should be returned -oc get secrets kubeadmin -n kube-system -``` - -Verify that authentication is running. - -Verify that at least one identity provider is configured. - -Verify that at least one user has cluster-admin role. For example -`NAME: cluster-admin-0` `ROLE: cluster-admin` `SUBJECT:*.kind User` - -Verify that the `kubeadmin` user no longer exists - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.; diff --git a/md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.1.md b/md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.1.md deleted file mode 100644 index e7922d2..0000000 --- a/md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.1.md +++ /dev/null @@ -1,65 +0,0 @@ -# CIS-3.2.1 - \[Logging\] Ensure that a minimal audit policy is created - -## Control Statement - -Kubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled. - -## Control rationale_statement - -Logging is an important detective control for all systems, to detect potential unauthorised access. - -## Control impact_statement - -Audit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes. - -## Control remediation_procedure - -No remediation required. - -## Control audit_procedure - -In OpenShift, auditing of the API Server is on by default. Audit provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system. Audit works at the API server level, logging all requests coming to the server. Each audit log contains two entries: - -The request line containing: - -A Unique ID allowing to match the response line (see #2) -- The source IP of the request -- The HTTP method being invoked -- The original user invoking the operation -- The impersonated user for the operation (self meaning himself) -- The impersonated group for the operation (lookup meaning user’s group) -- The namespace of the request or -- The URI as requested - -The response line containing: -- The unique ID from #1 -- The response code - -You can view logs for the OpenShift Container Platform API server or the Kubernetes API server for each master node. Follow the steps in documentation. [Viewing the audit log](https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-audit-log.html#nodes-nodes-audit-log-basic-viewing_nodes-nodes-audit-log) - -``` - -#To view kube apiserver log files -oc adm node-logs --role=master --path=kube-apiserver/ - -#To view openshift apiserver log files -oc adm node-logs --role=master --path=openshift-apiserver/ - -#To verify kube apiserver audit config -oc get configmap config -n openshift-kube-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq '.auditConfig[]' - -#To verify openshift apiserver audit config -oc get configmap config -n openshift-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq '.auditConfig[]' -``` - -Verify that log files are returned. - -Verify the audit log configuration. - -## Control CIS_Controls - -TITLE:Activate audit logging CONTROL:v7 6.2 DESCRIPTION:Ensure that local logging has been enabled on all systems and networking devices.; diff --git a/md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.2.md b/md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.2.md deleted file mode 100644 index 0a61415..0000000 --- a/md_catalogs/ocp4-cis/CIS-3/CIS-3.2/CIS-3.2.2.md +++ /dev/null @@ -1,46 +0,0 @@ -# CIS-3.2.2 - \[Logging\] Ensure that the audit policy covers key security concerns - -## Control Statement - -Ensure that the audit policy created for the cluster covers key security concerns. - -## Control rationale_statement - -Security audit logs should cover access and modification of key resources in the cluster, to enable them to form an effective part of a security environment. - -## Control impact_statement - -Increasing audit logging will consume resources on the nodes or other log destinations. - -## Control remediation_procedure - -In OpenShift 4.6 and higher, if appropriate for your needs, modify the audit policy. - -## Control audit_procedure - -Review the audit policy provided for the cluster and ensure that it covers at least the following areas: - -- Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data. -- Modification of pod and deployment objects. -- Use of `pods/exec`, `pods/portforward`, `pods/proxy and services/proxy`. - -For most requests, minimally logging at the Metadata level is recommended (the most basic level of logging). - -Audit policy is supported as of OpenShift 4.6, but not in earlier versions. You can configure the audit feature to set log level, retention policy, and the type of events to log. You can set the log level settings for an overall component or the API server to one of the following. The setting can be different for each setting. - -``` - -#To verify openshift apiserver audit config -oc get configmap config -n openshift-kube-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq '.auditConfig.policyConfiguration.rules[]' - -#To verify kube apiserver audit config -oc get configmap config -n openshift-apiserver -ojson | \ - jq -r '.data["config.yaml"]' | \ - jq '.auditConfig.policyConfiguration.rules[]' -``` - -## Control CIS_Controls - -TITLE:Enforce Detail Logging for Access or Changes to Sensitive Data CONTROL:v7 14.9 DESCRIPTION:Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).;TITLE:Enforce Detailed Audit Logging For Sensitive Information CONTROL:v6 14.6 DESCRIPTION:Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.1.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.1.md deleted file mode 100644 index 505faf6..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.1.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-4.1.1 - \[Worker Node Configuration Files\] Ensure that the kubelet service file permissions are set to 600 or more restrictive - -## Control Statement - -Ensure that the kubelet service file has permissions of 600 or more restrictive. - -## Control rationale_statement - -The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. - -## Control impact_statement - -None - -## Control remediation_procedure - -execute command: - -``` -chmod 600 /etc/systemd/system/kubelet.service -``` - -## Control audit_procedure - -Kubelet is run as a `systemd` unit and its configuration file is created with `644` permissions. - -Run the following command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %a /etc/systemd/system/kubelet.service -done -``` - -Verify that the permissions are `600` or more restrictive. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.10.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.10.md deleted file mode 100644 index cc5257f..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.10.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-4.1.10 - \[Worker Node Configuration Files\] Ensure that the kubelet configuration file ownership is set to root:root - -## Control Statement - -Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by `root:root`. - -## Control rationale_statement - -The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by `root:root`. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -In OpenShift 4, the kublet config file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/kubeconfig` with ownership set to `root:root`. - -Run the command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %U:%G /var/lib/kubelet/config.json -done -``` - -Verify that the ownership is set to `root:root`. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.2.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.2.md deleted file mode 100644 index 5c90248..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.2.md +++ /dev/null @@ -1,36 +0,0 @@ -# CIS-4.1.2 - \[Worker Node Configuration Files\] Ensure that the kubelet service file ownership is set to root:root - -## Control Statement - -Ensure that the kubelet service file ownership is set to `root:root`. - -## Control rationale_statement - -The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`. - -## Control impact_statement - -None - -## Control remediation_procedure - -By default, the kubelet service file has ownership of `root:root`. - -## Control audit_procedure - -Run the following command: - -``` - -# Should return root:root for each node -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %U:%G /etc/systemd/system/kubelet.service -done -``` - -Verify that the ownership is set to `root:root`. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.3.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.3.md deleted file mode 100644 index 736a623..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.3.md +++ /dev/null @@ -1,42 +0,0 @@ -# CIS-4.1.3 - \[Worker Node Configuration Files\] If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive - -## Control Statement - -If `kube-proxy` is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of `600` or more restrictive. - -## Control rationale_statement - -The `kube-proxy` kubeconfig file controls various parameters of the `kube-proxy` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. - -It is possible to run `kube-proxy` with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file. - -## Control impact_statement - -None - -## Control remediation_procedure - -execute command: - -chmod 600 /config/kube-proxy-config.yaml - -## Control audit_procedure - -In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with `644` permissions. - -Run the following command: - -``` - -for i in $(oc get pods -n openshift-sdn -l app=sdn -oname) -do - oc exec -n openshift-sdn $i -- \ - stat -Lc %a /config/kube-proxy-config.yaml -done -``` - -Verify that the `kube-proxy-config.yaml` file has permissions of `600`. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.4.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.4.md deleted file mode 100644 index 8e84a80..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.4.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-4.1.4 - \[Worker Node Configuration Files\] If proxy kubeconfig file exists ensure ownership is set to root:root - -## Control Statement - -If `kube-proxy` is running, ensure that the file ownership of its kubeconfig file is set to `root:root`. - -## Control rationale_statement - -The kubeconfig file for `kube-proxy` controls various parameters for the `kube-proxy` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. The configuration is managed by OpenShift operators. - -## Control audit_procedure - -In OpenShift 4, the `kube-proxy` runs within the `sdn` pods, which copies the `kubeconfig` from a configmap to the container at `/tmp/kubeconfig`, with root:root ownership. - -Run the following command: - -``` -for i in $(oc get pods -n openshift-sdn -l app=sdn -oname) -do - oc exec -n openshift-sdn $i -- \ - stat -Lc %U:%G /config/kube-proxy-config.yaml -done -``` - -Verify that the `kube-proxy-config.yaml` file has ownership root:root. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.5.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.5.md deleted file mode 100644 index 42d1fa2..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.5.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-4.1.5 - \[Worker Node Configuration Files\] Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive - -## Control Statement - -Ensure that the `kubelet.conf` file has permissions of `600` or more restrictive. - -## Control rationale_statement - -The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. - -## Control impact_statement - -None - -## Control remediation_procedure - -run command: - -``` -chmod 600 /etc/kubernetes/kubelet.conf -``` - -## Control audit_procedure - -The node's `kubeconfig` is created with `644` permissions. - -Run the following command: - -``` -# Check permissions -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/kubelet.conf -done -``` - -Verify that the permissions are `600`. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.6.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.6.md deleted file mode 100644 index a20b1f7..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.6.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-4.1.6 - \[Worker Node Configuration Files\] Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root - -## Control Statement - -Ensure that the `kubelet.conf` file ownership is set to `root:root`. - -## Control rationale_statement - -The `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -The node's `kubeconfig` is created with `root:root` ownership. - -Run the following command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/kubelet.conf -done -``` - -Verify that the ownership is set to `root:root`. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.7.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.7.md deleted file mode 100644 index a952bb3..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.7.md +++ /dev/null @@ -1,42 +0,0 @@ -# CIS-4.1.7 - \[Worker Node Configuration Files\] Ensure that the certificate authorities file permissions are set to 600 or more restrictive - -## Control Statement - -Ensure that the certificate authorities file has permissions of `600` or more restrictive. - -## Control rationale_statement - -The certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. - -## Control impact_statement - -None - -## Control remediation_procedure - -execute command: - -``` -chmod 600 /etc/kubernetes/cert/ca.pem -``` - -## Control audit_procedure - -The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The -`/etc/kubernetes/cert/kubelet-ca.crt` file has permissions `600`. - -Run the following command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %a /etc/kubernetes/cert/ca.pem -done -``` - -Verify that the permissions are `600`. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.8.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.8.md deleted file mode 100644 index 17e46ce..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.8.md +++ /dev/null @@ -1,38 +0,0 @@ -# CIS-4.1.8 - \[Worker Node Configuration Files\] Ensure that the client certificate authorities file ownership is set to root:root - -## Control Statement - -Ensure that the certificate authorities file ownership is set to `root:root`. - -## Control rationale_statement - -The certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -The Client CA location for the `kubelet` is defined in `/etc/kubernetes/kubelet.conf`. The -`/etc/kubernetes/kubelet-ca.crt` file has ownership `root:root`. - -Run the following command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %U:%G /etc/kubernetes/ca.pem -done -``` - -Verify that the ownership is set to `root:root`. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.9.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.9.md deleted file mode 100644 index 7065367..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.1/CIS-4.1.9.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-4.1.9 - \[Worker Node Configuration Files\] Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive - -## Control Statement - -Ensure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of `600` or more restrictive. - -## Control rationale_statement - -The kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -In OpenShift 4, the `kublet.conf` file is managed by the Machine Config Operator. The kubelet config file is found at `/var/lib/kubelet/config.json` with file permissions set to `600`. - -Run the command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host stat -c %a /var/lib/kubelet/config.json -done -``` - -Verify that the permissions are `600`. - -## Control CIS_Controls - -TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.;TITLE:Minimize And Sparingly Use Administrative Privileges CONTROL:v6 5.1 DESCRIPTION:Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.1.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.1.md deleted file mode 100644 index ca07024..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.1.md +++ /dev/null @@ -1,37 +0,0 @@ -# CIS-4.2.1 - \[Kubelet\] Ensure that the --anonymous-auth argument is set to false - -## Control Statement - -Disable anonymous requests to the Kubelet server. - -## Control rationale_statement - -When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests. - -## Control impact_statement - -Anonymous requests will be rejected. - -## Control remediation_procedure - -Follow the instructions in the documentation to create a Kubelet config CRD and set the `anonymous-auth` is set to `false`. - -## Control audit_procedure - -In OpenShift 4, the kublet config file is managed by the Machine Config Operator and `anonymous-auth` is set to `false` by default. - -Run the following command on each node: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host grep -B4 -A1 anonymous: /etc/systemd/system/kubelet.conf -done -``` - -Verify that the `anonymous-auth` argument is set to `false`. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Protect Information through Access Control Lists CONTROL:v7 14.6 DESCRIPTION:Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.10.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.10.md deleted file mode 100644 index 1c2737c..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.10.md +++ /dev/null @@ -1,35 +0,0 @@ -# CIS-4.2.10 - \[Kubelet\] Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - -## Control Statement - -Setup TLS connection on the Kubelets. - -## Control rationale_statement - -The connections from the `apiserver` to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the `apiserver` does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. - -## Control impact_statement - -TLS and client certificate authentication must be configured for your Kubernetes cluster deployment. - -## Control remediation_procedure - -OpenShift automatically manages TLS authentication for the API server communication with the `node/kublet`. This is not configurable. - -## Control audit_procedure - -By default, OpenShift uses X.509 certificates to provide secure connections between the API server and `node/kubelet`. OpenShift Container Platform monitors certificates for proper validity, for the cluster certificates it issues and manages. The OpenShift Container Platform manages certificate rotation and the alerting framework has rules to help identify when a certificate issue is about to occur. - -Run the following command on each node: - -``` -oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.kubeletClientInfo' -``` - -Verify that the `kubelet-client-certificate` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt` - -Verify that the `kubelet-client-key` argument is set to `/etc/kubernetes/static-pod-certs/secrets/kublet-client/tls.key` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.11.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.11.md deleted file mode 100644 index 6e33b5e..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.11.md +++ /dev/null @@ -1,48 +0,0 @@ -# CIS-4.2.11 - \[Kubelet\] Ensure that the --rotate-certificates argument is not set to false - -## Control Statement - -Enable kubelet client certificate rotation. - -## Control rationale_statement - -The `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad. - -Note: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled. The feature gate is enabled by default. - -Run the following commands: - -``` - -#Verify the rotateKubeletClientCertificate feature gate is not set to false -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host cat /etc/kubernetes/kubelet.conf | grep RotateKubeletClientCertificate -done - -# Verify the rotateCertificates argument is set to true -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf; -done -``` - -Verify that the `rotateKubeletClientCertificates` feature gate argument is not set to `false`. - -Verify that the `rotateCertificates` argument is set to `true`. - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.12.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.12.md deleted file mode 100644 index 0b6c938..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.12.md +++ /dev/null @@ -1,43 +0,0 @@ -# CIS-4.2.12 - \[Kubelet\] Verify that the RotateKubeletServerCertificate argument is set to true - -## Control Statement - -Enable kubelet server certificate rotation. - -## Control rationale_statement - -`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. - -Note: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -Run the following command on each node: - -``` - -#Verify the rotateKubeletServerCertificate feature gate is on -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done - -# Verify the rotateCertificates argument is set to true -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot host grep rotate /etc/kubernetes/kubelet.conf; -done -``` - -Verify that the `RotateKubeletServerCertificate` argument is set to `true`. - -Verify that the `rotateCertificates` argument is set to `true` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.13.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.13.md deleted file mode 100644 index da2d52e..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.13.md +++ /dev/null @@ -1,69 +0,0 @@ -# CIS-4.2.13 - \[Kubelet\] Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers - -## Control Statement - -Ensure that the Kubelet is configured to only use strong cryptographic ciphers. - -## Control rationale_statement - -TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided. - -## Control impact_statement - -Kubelet clients that cannot support modern cryptographic ciphers will not be able to make connections to the Kubelet API. - -## Control remediation_procedure - -Follow the directions above and in the OpenShift documentation to configure the `tlsSecurityProfile`. [Configuring Ingress](https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress) - -## Control audit_procedure - -The set of cryptographic ciphers currently considered secure is the following: - -``` - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_128_GCM_SHA256 -``` - -Ciphers for the API servers, authentication and the ingress controller can be configured using the `tlsSecurityProfile` parameter as of OpenShfit 4.3. The ingress controller provides external access to the API server. There are four TLS security profile types: - -- Old -- Intermediate -- Modern -- Custom - -Only the Old, Intermediate and Custom profiles are supported at this time for the Ingress controller. Custom provides the ability to specify individual TLS security profile parameters. Follow the steps in the documentation to configure the cipher suite for Ingress, API server and Authentication. https://docs.openshift.com/container-platform/4.5/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress - -Run the following commands to verify the cipher suite and minTLSversion for the ingress operator, authentication operator, `cliconfig`, OpenShift `APIserver` and Kube APIserver. - -``` -# needs verification - -# verify cipher suites -oc describe --namespace=openshift-ingress-operator ingresscontroller/default - -oc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo - -oc get openshiftapiservers.operator.openshift.io cluster -o json |jq .spec.observedConfig.servingInfo - -oc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\-0\-config\-system\-cliconfig}' | jq .servingInfo - -#check value for tlsSecurityProfile; null is returned if default is used -oc get kubeapiservers.operator.openshift.io cluster -o json |jq .spec.tlsSecurityProfile -``` - -Verify that the cipher suites are appropriate. - -Verify that the `tlsSecurityProfile` is set to the value you chose. - -Note: The HAProxy Ingress controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2. - -## Control CIS_Controls - -TITLE:Use Unique Passwords CONTROL:v8 5.2 DESCRIPTION:Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. ;TITLE:Utilize Client Certificates to Authenticate Hardware Assets CONTROL:v7 1.8 DESCRIPTION:Use client certificates to authenticate hardware assets connecting to the organization's trusted network.;TITLE:Address unapproved software CONTROL:v7 2.6 DESCRIPTION:Ensure that unauthorized software is either removed or the inventory is updated in a timely manner; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.2.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.2.md deleted file mode 100644 index 0edbad8..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.2.md +++ /dev/null @@ -1,49 +0,0 @@ -# CIS-4.2.2 - \[Kubelet\] Ensure that the --authorization-mode argument is not set to AlwaysAllow - -## Control Statement - -Do not allow all requests. Enable explicit authorization. - -## Control rationale_statement - -Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests. - -## Control impact_statement - -Unauthorized requests will be denied. - -## Control remediation_procedure - -None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes. - -## Control audit_procedure - -In OpenShift 4, the kublet config file is managed by the Machine Config Operator. By default, Unauthenticated/Unauthorized users have no access to OpenShift nodes. Run the following command: - -``` - -#In one terminal, run: - oc proxy - -#Then in another terminal, run: -for name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}') -do - curl -sS http://127.0.0.1:8080/api/v1/nodes/$name/proxy/configz | jq -r '.kubeletconfig.authorization.mode' - done - -# Alternative without oc proxy -POD=$(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[0].metadata.name}') - -TOKEN=$(oc whoami -t) - -for name in $(oc get nodes -ojsonpath='{.items[*].metadata.name}') -do - oc exec -n openshift-kube-apiserver $POD -- curl -sS https://172.25.0.1/api/v1/nodes/$name/proxy/configz -k -H "Authorization: Bearer $TOKEN" | jq -r '.kubeletconfig.authorization.mode' -done -``` - -Verify that access is not successful. - -## Control CIS_Controls - -TITLE:Configure Data Access Control Lists CONTROL:v8 3.3 DESCRIPTION:Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.3.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.3.md deleted file mode 100644 index 70cd3ea..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.3.md +++ /dev/null @@ -1,44 +0,0 @@ -# CIS-4.2.3 - \[Kubelet\] Ensure that the --client-ca-file argument is set as appropriate - -## Control Statement - -Enable Kubelet authentication using certificates. - -## Control rationale_statement - -The connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet’s port-forwarding functionality. These connections terminate at the kubelet’s HTTPS endpoint. By default, the apiserver does not verify the kubelet’s serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the apiserver could authenticate the Kubelet before submitting any requests. - -## Control impact_statement - -You require TLS to be configured on apiserver as well as kubelets. - -## Control remediation_procedure - -None required. Changing the `clientCAFile` value is unsupported. - -## Control audit_procedure - -OpenShift provides integrated management of certificates for internal cluster components. OpenShift 4 includes multiple CAs providing independent chains of trust, which ensure that a platform CA will never accidentally sign a certificate that can be used for the wrong purpose, increasing the security posture of the cluster. The Client CA location for the kubelet is defined in `/etc/kubernetes/kubelet.conf`. - -Run the following command: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host grep -B3 client-ca-file: /etc/systemd/system/kubelet.service -done -``` - -Verify that the `clientCAFile` exists and is set to `/etc/kubernetes/kubelet-ca.crt`. The output should look like the following: - -``` -apiVersion: kubelet.config.k8s.io/v1beta1 -authentication: - x509: - clientCAFile: /etc/kubernetes/kubelet-ca.crt -``` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data at Rest CONTROL:v8 3.11 DESCRIPTION:Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. ;TITLE:Encrypt Sensitive Information at Rest CONTROL:v7 14.8 DESCRIPTION:Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.4.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.4.md deleted file mode 100644 index 9cc64d7..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.4.md +++ /dev/null @@ -1,40 +0,0 @@ -# CIS-4.2.4 - \[Kubelet\] Verify that the read only port is not used or is set to 0 - -## Control Statement - -Disable the read-only port. - -## Control rationale_statement - -The Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster. - -## Control impact_statement - -Removal of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API. - -## Control remediation_procedure - -In earlier versions of OpenShift 4, the `read-only-port` argument is not used. - -Follow the instructions in the documentation to create a Kubelet config CRD and set the `--read-only-port` is set to `0`. - -## Control audit_procedure - -In OpenShift 4, the kubelet is managed by the Machine Config Operator. The kubelet config file is found at `/etc/kubernetes/kubelet.conf`. OpenShift disables the read-only port (10255) on all nodes by setting the `read-only-port` kubelet flag to 0 by default in OpenShift 4.6 and above. In OpenShift 4.5 and earlier, the `read-only-port` argument is not used. - -Run the following command: - -``` - -oc -n openshift-kube-apiserver get cm kube-apiserver-pod -o yaml | grep --color read-only-port - -oc -n openshift-kube-apiserver get cm config -o yaml | grep --color "read-only-port” -``` - -For OpenShift 4.5, verify that nothing is returned. Configuration information is available here: https://github.com/openshift/kubernetes-kubelet/blob/origin-4.5-kubernetes-1.18.3/config/v1beta1/types.go#L135-L141 - -For OpenShift 4.6, verify that the `read-only-port` is set to `0`. - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.5.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.5.md deleted file mode 100644 index c8061b8..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.5.md +++ /dev/null @@ -1,51 +0,0 @@ -# CIS-4.2.5 - \[Kubelet\] Ensure that the --streaming-connection-idle-timeout argument is not set to 0 - -## Control Statement - -Do not disable timeouts on streaming connections. - -## Control rationale_statement - -Setting idle timeouts ensures that you are protected against Denial-of-Service attacks, inactive connections and running out of ephemeral ports. - -**Note:** By default, `--streaming-connection-idle-timeout` is set to 4 hours which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases. - -## Control impact_statement - -Long-lived connections could be interrupted. - -## Control remediation_procedure - -Follow the instructions in the documentation to create a Kubelet config CRD and set the `--streaming-connection-idle-timeout` to the desired value. Do not set the value to `0`. - -## Control audit_procedure - -OpenShift uses the kubernetes default of 4 hours for the streaming-connection-idle-timeout argument. Unless the cluster administrator has added the value to the node configuration, the default will be used. The value is a timeout for HTTP streaming sessions going through a kubelet, like the port-forward, exec, or attach pod operations. The `streaming-connection-idle-timeout` should not be disabled by setting it to `zero`, but it can be lowered. Note that if the value is set too low, then users using those features may experience a service interruption due to the timeout. - -The kubelet configuration is currently serialized as an ignition configuration, so it can be directly edited. However, there is also a new `kubelet-config-controller` added to the Machine Config Controller (MCC). This allows you to create a `KubeletConfig` custom resource (CR) to edit the kubelet parameters. - -Run the following command on each node: - -``` - -# Should return 1 for each node -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host ps -ef | grep kubelet | grep streaming-connection-idle-timeout - echo $? -done - -# Should return 1 for each node -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}') -do - oc debug node/${node} -- chroot /host grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf - echo $? -done -``` - -Verify that the `--streaming-connection-idle-timeout` argument is not set to `0`. -If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to `0`. - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Ensure Only Approved Ports, Protocols and Services Are Running CONTROL:v7 9.2 DESCRIPTION:Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.6.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.6.md deleted file mode 100644 index c90812f..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.6.md +++ /dev/null @@ -1,33 +0,0 @@ -# CIS-4.2.6 - \[Kubelet\] Ensure that the --protect-kernel-defaults argument is not set - -## Control Statement - -Protect tuned kernel parameters from overriding kubelet default kernel parameter values. - -## Control rationale_statement - -Kernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior. - -## Control impact_statement - -You would have to re-tune kernel parameters to match kubelet parameters. - -## Control remediation_procedure - -None required. The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start. - -## Control audit_procedure - -The OpenShift 4 kubelet modifies the system tunable; using the `protect-kernel-defaults` flag will cause the kubelet to fail on start if the tunables don't match the kubelet configuration and the OpenShift node will fail to start. - -Run the following command: - -``` -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done -``` - -Verify that protectKernelDefaults is not present. - -## Control CIS_Controls - -TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Deploy Automated Operating System Patch Management Tools CONTROL:v7 3.4 DESCRIPTION:Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.7.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.7.md deleted file mode 100644 index a80729e..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.7.md +++ /dev/null @@ -1,56 +0,0 @@ -# CIS-4.2.7 - \[Kubelet\] Ensure that the --make-iptables-util-chains argument is set to true - -## Control Statement - -Allow Kubelet to manage iptables. - -## Control rationale_statement - -Kubelets can automatically manage the required changes to iptables based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to iptables. This ensures that the iptables configuration remains in sync with pods networking configuration. Manually configuring iptables with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have iptables rules too restrictive or too open. - -## Control impact_statement - -Kubelet would manage the iptables on the system and keep it in sync. If you are using any other iptables management solution, then there might be some conflicts. - -## Control remediation_procedure - -None required. The `--make-iptables-util-chains` argument is set to true by default. - -## Control audit_procedure - -OpenShift sets the `make-iptables-util-changes` argument to true by default. - -Run the following command: - -``` - -/bin/bash -flag=make-iptables-util-chains -opt=makeIPTablesUtilChains - -# look at each machineconfigpool - -while read -r pool nodeconfig; do - # true by default - value='true' - # first look for the flag - oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.systemd[][] | select(.name=="kubelet.service") | .contents' | sed -n "/^ExecStart=/,/^\$/ { /^\\s*--$flag=false/ q 100 }" - # if the above command exited with 100, the flag was false - [ $? == 100 ] && value='false' - # now look in the yaml KubeletConfig - yamlconfig=$(oc get machineconfig $nodeconfig -o json | jq -r '.spec.config.storage.files[] | select(.path=="/etc/kubernetes/kubelet.conf") | .contents.source ' | sed 's/^data:,//' | while read; do echo -e ${REPLY//%/\\x}; done) - echo "$yamlconfig" | sed -n "/^$opt:\\s*false\\s*$/ q 100" - [ $? == 100 ] && value='false' - echo "Pool $pool has $flag ($opt) set to $value" -done < <(oc get machineconfigpools -o json | jq -r '.items[] | select(.status.machineCount>0) | .metadata.name + " " + .spec.configuration.name') -``` - -Verify the `--make-iptables-util-chains` argument is set to true for each `machinepool`. - -For example: -`Pool master has make-iptables-util-chains (makeIPTablesUtilChains) set to true` -`Pool worker has make-iptables-util-chains (makeIPTablesUtilChains) set to true` - -## Control CIS_Controls - -TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enforce Access Control to Data through Automated Tools CONTROL:v7 14.7 DESCRIPTION:Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.8.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.8.md deleted file mode 100644 index 997e72d..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.8.md +++ /dev/null @@ -1,34 +0,0 @@ -# CIS-4.2.8 - \[Kubelet\] Ensure that the --hostname-override argument is not set - -## Control Statement - -Do not override node hostnames. - -## Control rationale_statement - -Overriding hostnames could potentially break TLS setup between the kubelet and the apiserver. Additionally, with overridden hostnames, it becomes increasingly difficult to associate logs with a particular node and process them for security analytics. Hence, you should setup your kubelet nodes with resolvable FQDNs and avoid overriding the hostnames with IPs. - -## Control impact_statement - -Some cloud providers may require this flag to ensure that hostname matches names issued by the cloud provider. In these environments, this recommendation should not apply. - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -In OpenShift 4, the `--hostname-override` argument is not used. - -Run the following command on each machine pool. For example: - -``` -oc get machineconfig 01-worker-kubelet -o yaml | grep hostname-override -oc get machineconfig 01-master-kubelet -o yaml | grep hostname-override -``` - -Verify that `--hostname-override` argument does not exist. - -## Control CIS_Controls - -TITLE:Use DNS Filtering Services CONTROL:v8 9.2 DESCRIPTION:Use DNS filtering services on all enterprise assets to block access to known malicious domains.;TITLE:Use of DNS Filtering Services CONTROL:v7 7.7 DESCRIPTION:Use DNS filtering services to help block access to known malicious domains.; diff --git a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.9.md b/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.9.md deleted file mode 100644 index f62af18..0000000 --- a/md_catalogs/ocp4-cis/CIS-4/CIS-4.2/CIS-4.2.9.md +++ /dev/null @@ -1,44 +0,0 @@ -# CIS-4.2.9 - \[Kubelet\] Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture - -## Control Statement - -Security relevant information should be captured. The `--event-qps` flag on the Kubelet can be used to limit the rate at which events are gathered. Setting this too low could result in relevant events not being logged, however the unlimited setting of `0` could result in a denial of service on the kubelet. - -## Control rationale_statement - -It is important to capture all events and not restrict event creation. Events are an important source of security information and analytics that ensure that your environment is consistently monitored using the event data. - -## Control impact_statement - -Setting this parameter to `0` could result in a denial of service condition due to excessive events being created. The cluster's event processing and storage systems should be scaled to handle expected event loads. - -## Control remediation_procedure - -Follow the documentation to edit kubelet parameters - -https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters - -``` -KubeAPIQPS: -``` - -## Control audit_procedure - -OpenShift uses the `kubeAPIQPS` argument and sets it to a default value of `50`. When this value is set to > 0, event creations per second are limited to the value set. If this value is set to `0`, event creations per second are unlimited. - -Run the following command on each machine pool. For example: - -``` - -for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host more /etc/kubernetes/kubelet.conf; done - -oc get machineconfig 01-worker-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050 - -oc get machineconfig 01-master-kubelet -o yaml | grep --color kubeAPIQPS%3A%2050 -``` - -Review the value set for the `kubeAPIQPS` argument and determine whether this has been set to an appropriate level for the cluster. If this value is set to `0`, event creations per second are unlimited. - -## Control CIS_Controls - -TITLE:Collect Detailed Audit Logs CONTROL:v8 8.5 DESCRIPTION:Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.;TITLE:Enable Command-line Audit Logging CONTROL:v7 8.8 DESCRIPTION:Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.1.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.1.md deleted file mode 100644 index f41b64d..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.1.md +++ /dev/null @@ -1,51 +0,0 @@ -# CIS-5.1.1 - \[RBAC and Service Accounts\] Ensure that the cluster-admin role is only used where required - -## Control Statement - -The RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where and when needed. - -## Control rationale_statement - -Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as `cluster-admin` provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as `cluster-admin` allow super-user access to perform any action on any resource. When used in a `ClusterRoleBinding`, it gives full control over every resource in the cluster and in all namespaces. When used in a `RoleBinding`, it gives full control over every resource in the rolebinding's namespace, including the namespace itself. - -## Control impact_statement - -Care should be taken before removing any `clusterrolebindings` from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to `clusterrolebindings` with the `system:` prefix as they are required for the operation of system components. - -## Control remediation_procedure - -Identify all `clusterrolebindings` to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges. - -Where possible, first bind users to a lower privileged role and then remove the `clusterrolebinding` to the cluster-admin role : - -``` -oc delete clusterrolebinding [name] -``` - -## Control audit_procedure - -OpenShift provides a set of default cluster roles that you can bind to users and groups cluster-wide or locally (per project namespace). Be mindful of the difference between local and cluster bindings. For example, if you bind the cluster-admin role to a user by using a local role binding, it might appear that this user has the privileges of a cluster administrator. This is not the case. Binding the cluster-admin to a user in a project grants super administrator privileges for only that project to the user. You can use the oc CLI to view cluster roles and bindings by using the oc describe command. For more information, see [Default Cluster Roles](https://docs.openshift.com/container-platform/4.4/authentication/using-rbac.html#default-roles_using-rbac) - -Some of these roles such as cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin allow super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself. - -Review users and groups bound to cluster-admin and decide whether they require such access. Consider creating least-privilege roles for users and service accounts. - -Obtain a list of the principals who have access to the cluster-admin role by reviewing the `clusterrolebinding` output for each role binding that has access to the cluster-admin role. - -``` -# needs verification - -# To get a list of users and service accounts with the cluster-admin role -oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin - -# To verity that kbueadmin is removed, no results should be returned -oc get secrets kubeadmin -n kube-system -``` - -Review each principal listed and ensure that cluster-admin privilege is required for it. - -Verify that the kubeadmin user no longer exists. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Ensure the Use of Dedicated Administrative Accounts CONTROL:v7 4.3 DESCRIPTION:Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.2.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.2.md deleted file mode 100644 index c8d33cd..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.2.md +++ /dev/null @@ -1,25 +0,0 @@ -# CIS-5.1.2 - \[RBAC and Service Accounts\] Minimize access to secrets - -## Control Statement - -The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster. Access to these secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation. - -## Control rationale_statement - -Inappropriate access to secrets stored within the Kubernetes cluster can allow for an attacker to gain additional access to the Kubernetes cluster or external resources whose credentials are stored as secrets. - -## Control impact_statement - -Care should be taken not to remove access to secrets to system components which require this for their operation - -## Control remediation_procedure - -Where possible, remove `get`, `list` and `watch` access to `secret` objects in the cluster. - -## Control audit_procedure - -Review the users who have `get`, `list` or `watch` access to `secrets` objects in the Kubernetes API. - -## Control CIS_Controls - -TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md deleted file mode 100644 index ad71726..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.3.md +++ /dev/null @@ -1,38 +0,0 @@ -# CIS-5.1.3 - \[RBAC and Service Accounts\] Minimize wildcard use in Roles and ClusterRoles - -## Control Statement - -Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items. - -Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product. - -## Control rationale_statement - -The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API. - -## Control remediation_procedure - -Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions. - -## Control audit_procedure - -Retrieve the roles defined across each namespaces in the cluster and review for wildcards - -``` - -oc get roles --all-namespaces -o yaml - -for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done -``` - -Retrieve the cluster roles defined in the cluster and review for wildcards - -``` -oc get clusterroles -o yaml - -for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do oc describe clusterrole ${i}; done -``` - -## Control CIS_Controls - -TITLE:Define and Maintain Role-Based Access Control CONTROL:v8 6.8 DESCRIPTION:Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md deleted file mode 100644 index 757ca4f..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.4.md +++ /dev/null @@ -1,27 +0,0 @@ -# CIS-5.1.4 - \[RBAC and Service Accounts\] Minimize access to create pods - -## Control Statement - -The ability to create pods in a namespace can provide a number of opportunities for privilege escalation, such as assigning privileged service accounts to these pods or mounting hostPaths with access to sensitive data (unless Pod Security Policies are implemented to restrict this access) - -As such, access to create new pods should be restricted to the smallest possible group of users. - -## Control rationale_statement - -The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible. - -## Control impact_statement - -Care should be taken not to remove access to pods to system components which require this for their operation - -## Control remediation_procedure - -Where possible, remove `create` access to `pod` objects in the cluster. - -## Control audit_procedure - -Review the users who have create access to pod objects in the Kubernetes API. - -## Control CIS_Controls - -TITLE:Allowlist Authorized Scripts CONTROL:v8 2.7 DESCRIPTION:Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.5.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.5.md deleted file mode 100644 index 2656262..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.5.md +++ /dev/null @@ -1,29 +0,0 @@ -# CIS-5.1.5 - \[RBAC and Service Accounts\] Ensure that default service accounts are not actively used. - -## Control Statement - -The `default` service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed. - -## Control rationale_statement - -Kubernetes provides a `default` service account which is used by cluster workloads where no specific service account is assigned to the pod. - -Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. - -The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments. - -## Control impact_statement - -All workloads which require access to the Kubernetes API will require an explicit service account to be created. - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -Every OpenShift project has its own service accounts. Every service account has an associated user name that can be granted roles, just like a regular user. The user name for each service account is derived from its project and the name of the service account. Service accounts are required in each project to run builds, deployments, and other pods. The default service accounts that are automatically created for each project are isolated by the project namespace. - -## Control CIS_Controls - -TITLE:Disable Dormant Accounts CONTROL:v8 5.3 DESCRIPTION:Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.;TITLE:Disable Dormant Accounts CONTROL:v7 16.9 DESCRIPTION:Automatically disable dormant accounts after a set period of inactivity.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.6.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.6.md deleted file mode 100644 index f10fbd9..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.1/CIS-5.1.6.md +++ /dev/null @@ -1,31 +0,0 @@ -# CIS-5.1.6 - \[RBAC and Service Accounts\] Ensure that Service Account Tokens are only mounted where necessary - -## Control Statement - -Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server - -## Control rationale_statement - -Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster. - -Avoiding mounting these tokens removes this attack avenue. - -## Control impact_statement - -Pods mounted without service account tokens will not be able to communicate with the API server, except where the resource is available to unauthenticated principals. - -## Control remediation_procedure - -Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. - -## Control audit_procedure - -Review pod and service account objects in the cluster and ensure that the option below is set, unless the resource explicitly requires this access. - -``` -automountServiceAccountToken: false -``` - -## Control CIS_Controls - -TITLE:Only Allow Access to Authorized Cloud Storage or Email Providers CONTROL:v7 13.4 DESCRIPTION:Only allow access to authorized cloud storage or email providers.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.1.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.1.md deleted file mode 100644 index 5ffe2fd..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.1.md +++ /dev/null @@ -1,54 +0,0 @@ -# CIS-5.2.1 - \[Pod Security Policies\] Minimize the admission of privileged containers - -## Control Statement - -Do not generally permit containers to be run with the `securityContext.privileged` flag set to `true`. - -## Control rationale_statement - -Privileged containers have access to all Linux Kernel capabilities and devices. A container running with full privileges can do almost everything that the host can do. This flag exists to allow special use-cases, like manipulating the network stack and accessing devices. - -There should be at least one Security Context Constraint (SCC) defined which does not permit privileged containers. - -If you need to run privileged containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods defined with `spec.containers[].securityContext.privileged: true` will not be permitted. - -## Control remediation_procedure - -Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privileged` field is set to `false`. - -## Control audit_procedure - -The set of SCCs that admission uses to authorize a pod are determined by the user identity and groups that the user belongs to. Additionally, if the pod specifies a service account, the set of allowable SCCs includes any constraints accessible to the service account. - -Admission uses the following approach to create the final security context for the pod: - -- Retrieve all SCCs available for use. -- Generate field values for security context settings that were not specified on the request. -- Validate the final settings against the available constraints. - -If a matching set of constraints is found, then the pod is accepted. If the request cannot be matched to an SCC, the pod is rejected. - -A pod must validate every field against the SCC. - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether privileged is enabled: - -``` -# needs verification -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Privileged"; done -``` - -Verify that there is at least one SCC which does not have `Allow Privileged` set to `true`. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.2.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.2.md deleted file mode 100644 index 93221c7..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.2.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-5.2.2 - \[Pod Security Policies\] Minimize the admission of containers wishing to share the host process ID namespace - -## Control Statement - -Do not generally permit containers to be run with the `hostPID` flag set to true. - -## Control rationale_statement - -A container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. - -There should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host PID namespace. - -If you need to run containers which require hostPID, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods defined with `Allow Host PID: true` will not be permitted unless they are run under a specific SCC. - -## Control remediation_procedure - -Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host PID` field is set to false. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether Allow Host PID is true: - -``` -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Host PID"; done -``` - -Verify that there is at least one SCC which does not return true. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.3.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.3.md deleted file mode 100644 index cb159df..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.3.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-5.2.3 - \[Pod Security Policies\] Minimize the admission of containers wishing to share the host IPC namespace - -## Control Statement - -Do not generally permit containers to be run with the `hostIPC` flag set to true. - -## Control rationale_statement - -A container running in the host's IPC namespace can use IPC to interact with processes outside the container. - -There should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host IPC namespace. - -If you have a requirement to containers which require hostIPC, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods defined with `Allow Host IPC: true` will not be permitted unless they are run under a specific SCC. - -## Control remediation_procedure - -Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host IPC` field is set to `false`. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether `Allow Host IPC` is enabled: - -``` -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Host IPC"; done -``` - -Verify that there is at least one SCC which does not return true. - -## Control CIS_Controls - -TITLE:Perform Application Layer Filtering CONTROL:v8 13.10 DESCRIPTION:Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.;TITLE:Deploy Application Layer Filtering Proxy Server CONTROL:v7 12.9 DESCRIPTION:Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.4.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.4.md deleted file mode 100644 index 8433855..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.4.md +++ /dev/null @@ -1,41 +0,0 @@ -# CIS-5.2.4 - \[Pod Security Policies\] Minimize the admission of containers wishing to share the host network namespace - -## Control Statement - -Do not generally permit containers to be run with the `hostNetwork` flag set to true. - -## Control rationale_statement - -A container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. - -There should be at least one Security Context Constraint (SCC) defined which does not permit containers to share the host network namespace. - -If you have need to run containers which require hostNetwork, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods defined with `Allow Host Network: true` will not be permitted unless they are run under a specific SCC. - -## Control remediation_procedure - -Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Host Network` field is omitted or set to `false`. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether `Allow Host Network` is enabled: - -``` -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Host Network"; done -``` - -Verify that there is at least one SCC which does not return true. - -## Control CIS_Controls - -TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.;TITLE:Segment the Network Based on Sensitivity CONTROL:v7 14.1 DESCRIPTION:Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.5.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.5.md deleted file mode 100644 index f1d45f3..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.5.md +++ /dev/null @@ -1,42 +0,0 @@ -# CIS-5.2.5 - \[Pod Security Policies\] Minimize the admission of containers with allowPrivilegeEscalation - -## Control Statement - -Do not generally permit containers to be run with the `allowPrivilegeEscalation` flag set to `true`. - -## Control rationale_statement - -A container running with the `allowPrivilegeEscalation` flag set to `true` may have processes that can gain more privileges than their parent. - -There should be at least one Security Context Constraint (SCC) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. - -If you have need to run containers which use setuid binaries or require privilege escalation, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods defined with `Allow Privilege Escalation: true` will not be permitted unless they are run under a specific SCC. - -## Control remediation_procedure - -Create a SCC as described in the OpenShift documentation, ensuring that the `Allow Privilege Escalation` field is set to `false`. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether privileged is enabled: - -``` -# needs verification -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allow Privilege Escalation"; done -``` - -Verify that there is at least one SCC which does not return true. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.6.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.6.md deleted file mode 100644 index 66c7dce..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.6.md +++ /dev/null @@ -1,49 +0,0 @@ -# CIS-5.2.6 - \[Pod Security Policies\] Minimize the admission of root containers - -## Control Statement - -Do not generally permit containers to be run as the root user. - -## Control rationale_statement - -Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have an escalated likelihood of container breakout. - -Ideally, all containers should run as a defined non-UID 0 user. - -There should be at least one Security Context Constraint (SCC) defined which does not permit root users in a container. - -If you need to run root containers, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods with containers which run as the root user will not be permitted. - -## Control remediation_procedure - -None required. By default, OpenShift includes the non-root SCC with the the `Run As User Strategy` is set to either `MustRunAsNonRoot`. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether running containers as root is enabled: - -``` -# needs verification - -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Run As User Strategy"; done - -#For SCCs with MustRunAs verify that the range of UIDs does not include 0 - -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "\sUID"; done -``` - -Verify that there is at least one SCC which returns `MustRunAsNonRoot` or one SCC which returns `MustRunAs` with the range of UIDs not including 0. - -## Control CIS_Controls - -TITLE:Restrict Administrator Privileges to Dedicated Administrator Accounts CONTROL:v8 5.4 DESCRIPTION:Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.7.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.7.md deleted file mode 100644 index 7fabdc0..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.7.md +++ /dev/null @@ -1,44 +0,0 @@ -# CIS-5.2.7 - \[Pod Security Policies\] Minimize the admission of containers with the NET_RAW capability - -## Control Statement - -Do not generally permit containers with the potentially dangerous NET_RAW capability. - -## Control rationale_statement - -Containers run with a default set of capabilities as assigned by the Container Runtime. By default this can include potentially dangerous capabilities. With Docker as the container runtime the NET_RAW capability is enabled which may be misused by malicious containers. - -Ideally, all containers should drop this capability. - -There should be at least one Security Context Constraint (SCC) defined which prevents containers with the NET_RAW capability from launching. - -If you need to run containers with this capability, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods with containers which run with the NET_RAW capability will not be permitted. - -## Control remediation_procedure - -Create a SCC as described in the OpenShift documentation, ensuring that the `Required Drop Capabilities` is set to include either `NET_RAW` or `ALL`. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether `NET_RAW` is disabled: - -``` -# needs verification -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Required Drop Capabilities"; done -``` - -Verify that there is at least one SCC which returns `NET_RAW` or `ALL`. - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.8.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.8.md deleted file mode 100644 index e754255..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.8.md +++ /dev/null @@ -1,48 +0,0 @@ -# CIS-5.2.8 - \[Pod Security Policies\] Minimize the admission of containers with added capabilities - -## Control Statement - -Do not generally permit containers with capabilities assigned beyond the default set. - -## Control rationale_statement - -Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities outside this set can be added to containers which could expose them to risks of container breakout attacks. - -There should be at least one Security Context Constraint (SCC) defined which prevents containers with capabilities beyond the default set from launching. - -If you need to run containers with additional capabilities, this should be defined in a separate SCC and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that SCC. - -## Control impact_statement - -Pods with containers which require capabilities outside the default set will not be permitted. - -## Control remediation_procedure - -Ensure that `Allowed Capabilities` is set to an empty array for every SCC in the cluster except for the `privileged` SCC. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check the values for `Allowed Capabilities`: - -``` - -oc describe scc | grep “Default Add Capabilities” - -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Allowed Capabilities"; done - -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Default Add Capabilities"; done -``` - -Minimize the number of SCCs that have `Allowed Capabilities` set to anything other than an empty array. - -Minimize the number of SCCs that have `Default Add Capabilities` set to anything other than an empty array. - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.9.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.9.md deleted file mode 100644 index b0e2af1..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.2/CIS-5.2.9.md +++ /dev/null @@ -1,39 +0,0 @@ -# CIS-5.2.9 - \[Pod Security Policies\] Minimize the admission of containers with capabilities assigned - -## Control Statement - -Do not generally permit containers with capabilities - -## Control rationale_statement - -Containers run with a default set of capabilities as assigned by the Container Runtime. Capabilities are parts of the rights generally granted on a Linux system to the root user. - -In many cases applications running in containers do not require any capabilities to operate, so from the perspective of the principal of least privilege use of capabilities should be minimized. - -## Control impact_statement - -Pods with containers which require capabilities to operate will not be permitted. - -## Control remediation_procedure - -Review the use of capabilities in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabilities to operate consider adding a SCC which forbids the admission of containers which do not drop all capabilities. - -## Control audit_procedure - -Get the set of SCCs with the following command: - -``` -oc get scc -``` - -For each SCC, check whether capabilities have been forbidden: - -``` -oc describe scc | grep “Required Drop Capabilities” - -for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do echo "$i"; oc describe scc $i | grep "Required Drop Capabilities"; done -``` - -## Control CIS_Controls - -TITLE:Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CONTROL:v8 4.8 DESCRIPTION:Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.1.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.1.md deleted file mode 100644 index 63e7dfa..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.1.md +++ /dev/null @@ -1,31 +0,0 @@ -# CIS-5.3.1 - \[Network Policies and CNI\] Ensure that the CNI in use supports Network Policies - -## Control Statement - -There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster. - -## Control rationale_statement - -Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies. - -## Control impact_statement - -None - -## Control remediation_procedure - -None required. - -## Control audit_procedure - -Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies. - -OpenShift Container Platform uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between Pods across the OpenShift Container Platform cluster. This Pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS). The OpenShift SDN uses Network Policies. The OpenShift SDN CNI plug-in provides all Kubernetes v1 NetworkPolicy features except for egress policy types and IPBlock. However, OpenShift provides means to implement fine grained filtering of egress traffic. OpenShift provides several options for controlling the traffic leaving the cluster. These options are : - -- Egress firewall -- Egress routers -- Egress static IP - -## Control CIS_Controls - -TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.2.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.2.md deleted file mode 100644 index 2dd2dc0..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.3/CIS-5.3.2.md +++ /dev/null @@ -1,35 +0,0 @@ -# CIS-5.3.2 - \[Network Policies and CNI\] Ensure that all Namespaces have Network Policies defined - -## Control Statement - -Use network policies to isolate traffic in your cluster network. - -## Control rationale_statement - -Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. - -Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic - -## Control impact_statement - -Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic" - -## Control remediation_procedure - -Follow the documentation and create `NetworkPolicy` objects as you need them. - -## Control audit_procedure - -The OpenShift 4 CNI plugin uses network policies and by default all Pods in a project are accessible from other Pods and network endpoints. To isolate one or more Pods in a project, you create NetworkPolicy objects in that project to indicate the allowed incoming connections. Project administrators can create and delete NetworkPolicy objects within their own project. For more information see: - -Run the following command and review the `NetworkPolicy` objects created in the cluster. - -``` -oc -n all get networkpolicy -``` - -Ensure that each namespace defined in the cluster has at least one Network Policy. - -## Control CIS_Controls - -TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Enable Firewall Filtering Between VLANs CONTROL:v7 14.2 DESCRIPTION:Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.1.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.1.md deleted file mode 100644 index 1dd5706..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.1.md +++ /dev/null @@ -1,31 +0,0 @@ -# CIS-5.4.1 - \[Secrets Management\] Prefer using secrets as files over secrets as environment variables - -## Control Statement - -Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets. - -## Control rationale_statement - -It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs. - -## Control impact_statement - -Application code which expects to read secrets in the form of environment variables would need modification - -## Control remediation_procedure - -If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. - -## Control audit_procedure - -Information about ways to provide sensitive data to pods is included in the documentation. -[Providing sensitive data to pods](https://docs.openshift.com/container-platform/4.5/nodes/pods/nodes-pods-secrets.html) -Run the following command to find references to objects which use environment variables defined from secrets. - -``` -oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A -``` - -## Control CIS_Controls - -TITLE:Encrypt Sensitive Data in Transit CONTROL:v8 3.10 DESCRIPTION:Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).;TITLE:Encrypt All Sensitive Information in Transit CONTROL:v7 14.4 DESCRIPTION:Encrypt all sensitive information in transit.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.2.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.2.md deleted file mode 100644 index 40af232..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.4/CIS-5.4.2.md +++ /dev/null @@ -1,27 +0,0 @@ -# CIS-5.4.2 - \[Secrets Management\] Consider external secret storage - -## Control Statement - -Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs. Ensure the solution requires authentication to access secrets, has auditing of access to and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate secrets. - -## Control rationale_statement - -Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure that access to secrets is carefully limited. Using an external secrets provider can ease the management of access to secrets, especially where secrets are used across both Kubernetes and non-Kubernetes environments. - -## Control impact_statement - -None - -## Control remediation_procedure - -Refer to the secrets management options offered by your cloud provider or a third-party secrets management solution. - -## Control audit_procedure - -OpenShift supports a broad ecosystem of security partners many of whom provide integration with enterprise secret vaults. - -Review your secrets management implementation. - -## Control CIS_Controls - -TITLE:Segment Data Processing and Storage Based on Sensitivity CONTROL:v8 3.12 DESCRIPTION:Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.5/CIS-5.5.1.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.5/CIS-5.5.1.md deleted file mode 100644 index 5b3ed15..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.5/CIS-5.5.1.md +++ /dev/null @@ -1,27 +0,0 @@ -# CIS-5.5.1 - \[Extensible Admission Control\] Configure Image Provenance using image controller configuration parameters - -## Control Statement - -Configure Image Provenance for your deployment. - -## Control rationale_statement - -Kubernetes supports plugging in provenance rules to accept or reject the images in your deployments. You could configure such rules to ensure that only approved images are deployed in the cluster. - -You can control which images can be imported, tagged, and run in a cluster using the image controller. For additional information on the image controller, see [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html) - -## Control impact_statement - -You need to regularly maintain your provenance configuration based on container image updates. - -## Control remediation_procedure - -Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html - -## Control audit_procedure - -Review the image controller parameters in your cluster and verify that image provenance is configured as appropriate. - -## Control CIS_Controls - -TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Deploy System Configuration Management Tools CONTROL:v7 5.4 DESCRIPTION:Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.1.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.1.md deleted file mode 100644 index 318ca91..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.1.md +++ /dev/null @@ -1,33 +0,0 @@ -# CIS-5.7.1 - \[General Policies\] Create administrative boundaries between resources using namespaces - -## Control Statement - -Use namespaces to isolate your Kubernetes objects. - -## Control rationale_statement - -Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called `default`. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users. - -## Control impact_statement - -You need to switch between namespaces for administration. - -## Control remediation_procedure - -Follow the documentation and create namespaces for objects in your deployment as you need them. - -## Control audit_procedure - -OpenShift Projects wrap Kubernetes namespaces and are used by default in OpenShift 4. - -Run the following command and review the namespaces created in the cluster. - -``` -oc get namespaces -``` - -Ensure that these namespaces are the ones you need and are adequately administered as per your requirements. - -## Control CIS_Controls - -TITLE:Implement and Manage a Firewall on Servers CONTROL:v8 4.4 DESCRIPTION:Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.;TITLE:Implement Application Firewalls CONTROL:v7 9.5 DESCRIPTION:Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.2.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.2.md deleted file mode 100644 index 49552ef..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.2.md +++ /dev/null @@ -1,29 +0,0 @@ -# CIS-5.7.2 - \[General Policies\] Ensure that the seccomp profile is set to docker/default in your pod definitions - -## Control Statement - -Enable `default` seccomp profile in your pod definitions. - -## Control rationale_statement - -Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container. - -## Control impact_statement - -If the `default` seccomp profile is too restrictive for you, you will need to create and manage your own seccomp profiles. - -## Control remediation_procedure - -To enable the `default` seccomp profile, use the reserved value `/runtime/default` that will make sure that the pod uses the default policy available on the host. - -## Control audit_procedure - -In OpenShift 4, CRI-O is the supported runtime. CRI-O runs unconfined by default in order to meet CRI conformance criteria. - -On RHEL CoreOS, the default seccomp policy is associated with CRI-O and stored in `/etc/crio/seccomp.json`. The default profile is applied when the user asks for the runtime/default profile via annotation to the pod and when the associated SCC allows use of the specified seccomp profile. - -Configuration of allowable seccomp profiles is managed through OpenShift Security Context Constraints. - -## Control CIS_Controls - -TITLE:Establish and Maintain a Secure Configuration Process CONTROL:v8 4.1 DESCRIPTION:Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.;TITLE:Maintain Secure Images CONTROL:v7 5.2 DESCRIPTION:Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.3.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.3.md deleted file mode 100644 index 36a2a5e..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.3.md +++ /dev/null @@ -1,27 +0,0 @@ -# CIS-5.7.3 - \[General Policies\] Apply Security Context to Your Pods and Containers - -## Control Statement - -Apply Security Context to Your Pods and Containers - -## Control rationale_statement - -A security context defines the operating system security settings (uid, gid, capabilities, SELinux role, etc..) applied to a container. When designing your containers and pods, make sure that you configure the security context for your pods, containers, and volumes. A security context is a property defined in the deployment yaml. It controls the security parameters that will be assigned to the pod/container/volume. There are two levels of security context: pod level security context, and container level security context. - -## Control impact_statement - -If you incorrectly apply security contexts, you may have trouble running the pods. - -## Control remediation_procedure - -Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. - -## Control audit_procedure - -Review the pod definitions in your cluster and verify that you have security contexts defined as appropriate. - -OpenShift's Security Context Constraint feature is on by default in OpenShift 4 and applied to all pods deployed. SCC selection is determined by a combination of the values in the securityContext and the rolebindings for the account deploying the pod. - -## Control CIS_Controls - -TITLE:Perform Automated Operating System Patch Management CONTROL:v8 7.3 DESCRIPTION:Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.;TITLE:Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies CONTROL:v7 8.3 DESCRIPTION:Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.; diff --git a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.4.md b/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.4.md deleted file mode 100644 index 4cd70b6..0000000 --- a/md_catalogs/ocp4-cis/CIS-5/CIS-5.7/CIS-5.7.4.md +++ /dev/null @@ -1,42 +0,0 @@ -# CIS-5.7.4 - \[General Policies\] The default namespace should not be used - -## Control Statement - -Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult. - -## Control rationale_statement - -Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources. - -## Control impact_statement - -None - -## Control remediation_procedure - -Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. - -## Control audit_procedure - -In OpenShift, projects (namespaces) are used to group and isolate related objects. When a request is made to create a new project using the web console or oc new-project command, an endpoint in OpenShift Container Platform is used to provision the project according to a template, which can be customized. - -The cluster administrator can allow and configure how developers and service accounts can create, or self-provision, their own projects. Regular users do not have access to the default project. - -Projects starting with openshift- and kube- host cluster components that run as Pods and other infrastructure components. As such, OpenShift does not allow you to create Projects starting with openshift- or kube- using the oc new-project command. - -For more information, see -[Working with projects](https://docs.openshift.com/container-platform/4.4/applications/projects/working-with-projects.html) and -[Configuring project creation](https://docs.openshift.com/containerplatform/4.4/applications/projects/configuring-project-creation.html) - -Run this command to list objects in default namespace - -``` -oc project default -oc get all -``` - -The only entries there should be system managed resources such as the `kubernetes` and `openshift` service - -## Control CIS_Controls - -TITLE:Configure Trusted DNS Servers on Enterprise Assets CONTROL:v8 4.9 DESCRIPTION:Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. ;TITLE:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers CONTROL:v7 5 DESCRIPTION:Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers; From 3c4c74956629d741db7a5a966b958d59fa31b911 Mon Sep 17 00:00:00 2001 From: Lou DeGenaro Date: Thu, 13 Feb 2025 07:19:19 -0500 Subject: [PATCH 05/14] Update README Signed-off-by: Lou DeGenaro --- .gitignore | 1 + README.md | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8db746a..00790c4 100644 --- a/.gitignore +++ b/.gitignore @@ -130,3 +130,4 @@ dmypy.json .DS_Store compliance-trestle/ +/.project diff --git a/README.md b/README.md index 91c5152..c33c47d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,8 @@ # End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) -End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) \ No newline at end of file +End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) + +This repo comprises OSCAL catalog for the end-to-end demo. The OSCAL catalog is for CIS Benchmarks, but for proprietary reasons only a portion (snippet) of the entire catalog is used for this demo. + +The full catalog can be obtained from [CIS Controls OSCAL Repository](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository). + +The [demo overview](https://github.com/oscal-compass/e2e-demo). \ No newline at end of file From dfebb163911ff6d09c5708bcae79ea5d39cc3be8 Mon Sep 17 00:00:00 2001 From: Lou DeGenaro Date: Thu, 13 Feb 2025 10:01:18 -0500 Subject: [PATCH 06/14] Update README Signed-off-by: Lou DeGenaro --- README.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c33c47d..1ac3d28 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,25 @@ # End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) End-to-End Demo: Compliance as Code CIS Benchmarks Catalog (snippet) -This repo comprises OSCAL catalog for the end-to-end demo. The OSCAL catalog is for CIS Benchmarks, but for proprietary reasons only a portion (snippet) of the entire catalog is used for this demo. +This repo comprises OSCAL catalog for the end-to-end demo. The OSCAL catalog is for CIS Controls, but for proprietary reasons only a portion (snippet) of the entire catalog is used for this demo. The full catalog can be obtained from [CIS Controls OSCAL Repository](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository). -The [demo overview](https://github.com/oscal-compass/e2e-demo). \ No newline at end of file +The [demo overview](https://github.com/oscal-compass/e2e-demo). + +What this repo does: + +This repo ingests industry standard catalogs and provides a mechanism to generate an opinionated control set which is then leveraged by the profile repo. + +1. Input: It was initialized with OSCAL catalog.json, which is a subset of the full CIS controls. + +2. Processing: Changes to either the catloag.json or markdown files and creation of PR to merge these changes into develop will result in catalog generate/assemble. + +3. Output: Updated catalog.json in catalog repo + +4. Next action: Updated catalog.json pushed to profile repo + +Demo for this repo: + +- Show changes to markdown are incorporated into catloag.json + From 5c4c2732d04a66ac724b497e4951733ec551d7be Mon Sep 17 00:00:00 2001 From: mrgadgil <49280244+mrgadgil@users.noreply.github.com> Date: Tue, 18 Feb 2025 08:17:51 -0500 Subject: [PATCH 07/14] Feat/build pipeline (#1) * feat: pipeline for cis catalog repo * fix: update install trestle, push and release scripts --- .github/workflows/dev-push.yml | 9 ++++----- .github/workflows/main-push.yml | 20 ++++++++++---------- scripts/automation/assemble_catalogs.sh | 21 +++++++++------------ scripts/automation/check_and_update_all.sh | 15 --------------- scripts/automation/install_trestle.sh | 3 +-- scripts/automation/push.sh | 4 ++-- scripts/automation/regenerate_catalogs.sh | 10 +++------- scripts/automation/release.sh | 4 ++-- 8 files changed, 31 insertions(+), 55 deletions(-) diff --git a/.github/workflows/dev-push.yml b/.github/workflows/dev-push.yml index 8dae868..708b124 100644 --- a/.github/workflows/dev-push.yml +++ b/.github/workflows/dev-push.yml @@ -12,15 +12,14 @@ jobs: with: submodules: true fetch-depth: 2 - token: ${{ secrets.GIT_TOKEN }} - - name: Set up Python 3.8 + token: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Python 3.9 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.9 - name: Install Trestle run: bash scripts/automation/install_trestle.sh - name: Automatically update content on push run: bash scripts/automation/check_and_update_all.sh - name: Push the changes - run: bash scripts/automation/push.sh - + run: bash scripts/automation/push.sh \ No newline at end of file diff --git a/.github/workflows/main-push.yml b/.github/workflows/main-push.yml index 3fd2cdf..eb238dc 100644 --- a/.github/workflows/main-push.yml +++ b/.github/workflows/main-push.yml @@ -12,11 +12,11 @@ jobs: with: submodules: true fetch-depth: 0 - token: ${{ secrets.GIT_TOKEN }} - - name: Set up Python 3.8 + token: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Python 3.9 uses: actions/setup-python@v2 with: - python-version: 3.8 + python-version: 3.9 - name: Install Trestle run: bash scripts/automation/install_trestle.sh - name: Release @@ -24,7 +24,7 @@ jobs: - name: Push the changes run: bash scripts/automation/push.sh downstream-repo-update: - name: Update downstream repositories + name: Update downstream repositories - cd runs-on: ubuntu-latest needs: release steps: @@ -33,18 +33,18 @@ jobs: with: fetch-depth: 0 ref: main - token: ${{ secrets.GIT_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Clone downstream repo uses: actions/checkout@v2 with: - repository: ComplianceAsCode/ocp-oscal-profiles - path: './ocp-oscal-profiles' - token: ${{ secrets.GIT_TOKEN }} + repository: oscal-compass/e2e-demo-cac-profile-cis + path: './e2e-demo-cac-profile-cis' + token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 - name: Update profiles run: bash scripts/automation/update_profile.sh env: - GH_TOKEN: ${{ secrets.GIT_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} merge-main-to-develop: name: Merge main to develop runs-on: ubuntu-latest @@ -56,7 +56,7 @@ jobs: steps: - uses: tukasz/direct-merge-action@master with: - GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} source-branch: main target-branch: develop commit-message: "chore: Merge back version tags and changelog into develop." diff --git a/scripts/automation/assemble_catalogs.sh b/scripts/automation/assemble_catalogs.sh index ce0dc9d..a6482d4 100755 --- a/scripts/automation/assemble_catalogs.sh +++ b/scripts/automation/assemble_catalogs.sh @@ -1,15 +1,12 @@ version_tag=$1 for d in ./catalogs/* ; do - catalog=$(basename "$d") - if [ "$catalog" != "IBM_FS_FR_COMBINED" ]; then - if [ "$1" != "" ]; then - echo "Assembling ${catalog} with version ${version_tag}" - trestle author catalog-assemble --markdown md_catalogs/$catalog --output $catalog --version $version_tag - else - echo "Assembling ${catalog}" - trestle author catalog-assemble --markdown md_catalogs/$catalog --output $catalog - fi - else - echo "Skipping ${catalog}" - fi + + catalog=$(basename "$d") + if [ "$1" != "" ]; then + echo "Assembling ${catalog} with version ${version_tag}" + trestle author catalog-assemble --markdown md_catalogs/$catalog --output $catalog --version $version_tag + else + echo "Assembling ${catalog}" + trestle author catalog-assemble --markdown md_catalogs/$catalog --output $catalog + fi done diff --git a/scripts/automation/check_and_update_all.sh b/scripts/automation/check_and_update_all.sh index 0c3ab87..d8836d1 100755 --- a/scripts/automation/check_and_update_all.sh +++ b/scripts/automation/check_and_update_all.sh @@ -4,7 +4,6 @@ CHANGES=`git diff-tree --no-commit-id --name-only -r HEAD` md_changed=false json_changed=false -txt_changed=false # bash regex does not support lazy match, so need to use two patterns to match before and after the control id md1=$"^md_catalogs/" @@ -13,10 +12,6 @@ md2=$"\.md$" json1=$"^catalogs/" json2=$"\.json$" -# xlsx to OSCAL catalog conversion has to be done separately as we cannot put the CIS benchmark XLSX file in git -# txt1=$"^adjunct-data/" -# txt2=$"\.profile$" - for val in ${CHANGES[@]} ; do if [[ $val =~ $md1 && $val =~ $md2 ]]; then md_changed=true @@ -26,17 +21,8 @@ for val in ${CHANGES[@]} ; do json_changed=true fi - # if [[ $val =~ $txt1 && $val =~ $txt2 ]]; then - # txt_changed=true - # fi done -# if [[ $txt_changed = true ]]; then - # echo "Profile data file(s) were changes, converting txt to catalogs and regenerating markdowns..." - # trestle task ocp4-cis-profile-to-oscal-catalog -c adjunct-data/task-files/demo-ocp4-cis-profile-to-oscal-catalog.config - # ./scripts/automation/regenerate_catalogs.sh -# fi - if [[ $json_changed = true ]]; then echo "Json file(s) were changed, regenerating catalogs..." ./scripts/automation/regenerate_catalogs.sh @@ -49,6 +35,5 @@ if [[ $md_changed = true ]]; then fi - #echo "$md_changed $json_changed $txt_changed" echo "$md_changed $json_changed" diff --git a/scripts/automation/install_trestle.sh b/scripts/automation/install_trestle.sh index fec1b9d..818b252 100644 --- a/scripts/automation/install_trestle.sh +++ b/scripts/automation/install_trestle.sh @@ -1,6 +1,5 @@ #!/bin/bash python3 -m pip install --upgrade pip setuptools -#python3 -m pip install compliance-trestle==1.2.0 -python3 -m pip install git+https://github.com/IBM/compliance-trestle@develop +python3 -m pip install compliance-trestle python3 -m pip install python-semantic-release==7.31.4 \ No newline at end of file diff --git a/scripts/automation/push.sh b/scripts/automation/push.sh index 4bc3bd2..5ec17d7 100755 --- a/scripts/automation/push.sh +++ b/scripts/automation/push.sh @@ -59,8 +59,8 @@ function github-branch-commit() { fi local remote=origin - if [[ $GIT_TOKEN ]]; then - remote=https://$GIT_TOKEN@github.com/ComplianceAsCode/ocp-oscal-catalogs + if [[ $GITHUB_TOKEN ]]; then + remote=https://$GITHUB_TOKEN@github.com/oscal-compass/e2e-demo-cac-catalog-cis fi if [[ $GIT_BRANCH != main ]] && [[ $GIT_BRANCH != develop ]]; then msg "not pushing updates to branch $GIT_BRANCH" diff --git a/scripts/automation/regenerate_catalogs.sh b/scripts/automation/regenerate_catalogs.sh index 1262835..8d68aab 100755 --- a/scripts/automation/regenerate_catalogs.sh +++ b/scripts/automation/regenerate_catalogs.sh @@ -1,9 +1,5 @@ for d in ./catalogs/* ; do - catalog=$(basename "$d") - if [ "$catalog" != "IBM_FS_FR_COMBINED" ]; then - echo "Regenerating ${catalog}" - trestle author catalog-generate --name $catalog --output md_catalogs/$catalog - else - echo "Skipping ${catalog}" - fi + catalog=$(basename "$d") + echo "Regenerating ${catalog}" + trestle author catalog-generate --name $catalog --output md_catalogs/$catalog done diff --git a/scripts/automation/release.sh b/scripts/automation/release.sh index be5bac3..c70cd96 100755 --- a/scripts/automation/release.sh +++ b/scripts/automation/release.sh @@ -2,7 +2,7 @@ version_tag=$(semantic-release print-version) echo "Bumping version of profiles to ${version_tag}" export VERSION_TAG="$version_tag" echo "VERSION_TAG=${VERSION_TAG}" >> $GITHUB_ENV -./scripts/automation/assemble_catalogs.sh $version_tag +./scripts/automation/assemble_profiles.sh $version_tag git config --global user.email "automation@example.com" git config --global user.name "Automation Bot" -semantic-release publish +semantic-release publish \ No newline at end of file From 98e770816f644753e0bcaa9e938118ea7979a8f6 Mon Sep 17 00:00:00 2001 From: "semantic-release (via TravisCI)" Date: Tue, 18 Feb 2025 08:19:57 -0500 Subject: [PATCH 08/14] fix: create md_catalogs --- md_catalogs/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 md_catalogs/.keep diff --git a/md_catalogs/.keep b/md_catalogs/.keep new file mode 100644 index 0000000..e69de29 From 19c8a6dd3cc1051e1a02adda6dc072de3f48749d Mon Sep 17 00:00:00 2001 From: mrgadgil <49280244+mrgadgil@users.noreply.github.com> Date: Tue, 18 Feb 2025 13:18:23 -0500 Subject: [PATCH 09/14] Update catalog.json --- catalogs/cis-v8/catalog.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/catalogs/cis-v8/catalog.json b/catalogs/cis-v8/catalog.json index 7f46442..20d8032 100644 --- a/catalogs/cis-v8/catalog.json +++ b/catalogs/cis-v8/catalog.json @@ -38,7 +38,7 @@ { "id":"cisc-1_stmt", "name":"statement", - "prose":"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." + "prose":"TESTActively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." }, { "id":"cisc-1_gdn", @@ -2896,4 +2896,4 @@ } ] } -} \ No newline at end of file +} From 0b65e3163f62c21f5d3bd309444607c1e7604238 Mon Sep 17 00:00:00 2001 From: "semantic-release (via TravisCI)" Date: Tue, 18 Feb 2025 13:29:45 -0500 Subject: [PATCH 10/14] Update dev-push.yml --- .github/workflows/dev-push.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/dev-push.yml b/.github/workflows/dev-push.yml index 708b124..59689f0 100644 --- a/.github/workflows/dev-push.yml +++ b/.github/workflows/dev-push.yml @@ -3,6 +3,12 @@ on: push: branches: - develop + +permissions: + contents: write # Allows write access to repository content + issues: write # Allows write access to issues (if needed) + pull-requests: write # Allows write access to pull requests (if needed) + jobs: auto-content-update: name: Autoupdate content From 786b1419c727513873c9353d875592b2aacaedf4 Mon Sep 17 00:00:00 2001 From: mrgadgil <49280244+mrgadgil@users.noreply.github.com> Date: Tue, 18 Feb 2025 13:30:46 -0500 Subject: [PATCH 11/14] fix: update catalog.json --- catalogs/cis-v8/catalog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/catalogs/cis-v8/catalog.json b/catalogs/cis-v8/catalog.json index 20d8032..f2df305 100644 --- a/catalogs/cis-v8/catalog.json +++ b/catalogs/cis-v8/catalog.json @@ -38,7 +38,7 @@ { "id":"cisc-1_stmt", "name":"statement", - "prose":"TESTActively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." + "prose":"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate." }, { "id":"cisc-1_gdn", From d4fffd0e06d7a35175913e34443864ff370c0602 Mon Sep 17 00:00:00 2001 From: Automation Bot Date: Tue, 18 Feb 2025 18:31:13 +0000 Subject: [PATCH 12/14] Autoupdate [ci skip] --- md_catalogs/cis-v8/cisc-1.1.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-1.2.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-1.3.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-1.4.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-1.5.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-1.md | 22 ++++++++++++++++++++++ md_catalogs/cis-v8/cisc-2.1.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.2.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.3.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.4.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.5.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.6.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.7.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-2.md | 18 ++++++++++++++++++ md_catalogs/cis-v8/cisc-3.1.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.10.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.11.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.12.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.13.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.14.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.2.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.3.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.4.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.5.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.6.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.7.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.8.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.9.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-3.md | 20 ++++++++++++++++++++ md_catalogs/cis-v8/cisc-4.1.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.10.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.11.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.12.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.2.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.3.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.4.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.5.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.6.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.7.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.8.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.9.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-4.md | 18 ++++++++++++++++++ md_catalogs/cis-v8/cisc-5.1.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-5.2.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-5.3.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-5.4.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-5.5.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-5.6.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-5.md | 18 ++++++++++++++++++ md_catalogs/cis-v8/cisc-6.1.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.2.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.3.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.4.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.5.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.6.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.7.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.8.md | 10 ++++++++++ md_catalogs/cis-v8/cisc-6.md | 18 ++++++++++++++++++ 58 files changed, 634 insertions(+) create mode 100644 md_catalogs/cis-v8/cisc-1.1.md create mode 100644 md_catalogs/cis-v8/cisc-1.2.md create mode 100644 md_catalogs/cis-v8/cisc-1.3.md create mode 100644 md_catalogs/cis-v8/cisc-1.4.md create mode 100644 md_catalogs/cis-v8/cisc-1.5.md create mode 100644 md_catalogs/cis-v8/cisc-1.md create mode 100644 md_catalogs/cis-v8/cisc-2.1.md create mode 100644 md_catalogs/cis-v8/cisc-2.2.md create mode 100644 md_catalogs/cis-v8/cisc-2.3.md create mode 100644 md_catalogs/cis-v8/cisc-2.4.md create mode 100644 md_catalogs/cis-v8/cisc-2.5.md create mode 100644 md_catalogs/cis-v8/cisc-2.6.md create mode 100644 md_catalogs/cis-v8/cisc-2.7.md create mode 100644 md_catalogs/cis-v8/cisc-2.md create mode 100644 md_catalogs/cis-v8/cisc-3.1.md create mode 100644 md_catalogs/cis-v8/cisc-3.10.md create mode 100644 md_catalogs/cis-v8/cisc-3.11.md create mode 100644 md_catalogs/cis-v8/cisc-3.12.md create mode 100644 md_catalogs/cis-v8/cisc-3.13.md create mode 100644 md_catalogs/cis-v8/cisc-3.14.md create mode 100644 md_catalogs/cis-v8/cisc-3.2.md create mode 100644 md_catalogs/cis-v8/cisc-3.3.md create mode 100644 md_catalogs/cis-v8/cisc-3.4.md create mode 100644 md_catalogs/cis-v8/cisc-3.5.md create mode 100644 md_catalogs/cis-v8/cisc-3.6.md create mode 100644 md_catalogs/cis-v8/cisc-3.7.md create mode 100644 md_catalogs/cis-v8/cisc-3.8.md create mode 100644 md_catalogs/cis-v8/cisc-3.9.md create mode 100644 md_catalogs/cis-v8/cisc-3.md create mode 100644 md_catalogs/cis-v8/cisc-4.1.md create mode 100644 md_catalogs/cis-v8/cisc-4.10.md create mode 100644 md_catalogs/cis-v8/cisc-4.11.md create mode 100644 md_catalogs/cis-v8/cisc-4.12.md create mode 100644 md_catalogs/cis-v8/cisc-4.2.md create mode 100644 md_catalogs/cis-v8/cisc-4.3.md create mode 100644 md_catalogs/cis-v8/cisc-4.4.md create mode 100644 md_catalogs/cis-v8/cisc-4.5.md create mode 100644 md_catalogs/cis-v8/cisc-4.6.md create mode 100644 md_catalogs/cis-v8/cisc-4.7.md create mode 100644 md_catalogs/cis-v8/cisc-4.8.md create mode 100644 md_catalogs/cis-v8/cisc-4.9.md create mode 100644 md_catalogs/cis-v8/cisc-4.md create mode 100644 md_catalogs/cis-v8/cisc-5.1.md create mode 100644 md_catalogs/cis-v8/cisc-5.2.md create mode 100644 md_catalogs/cis-v8/cisc-5.3.md create mode 100644 md_catalogs/cis-v8/cisc-5.4.md create mode 100644 md_catalogs/cis-v8/cisc-5.5.md create mode 100644 md_catalogs/cis-v8/cisc-5.6.md create mode 100644 md_catalogs/cis-v8/cisc-5.md create mode 100644 md_catalogs/cis-v8/cisc-6.1.md create mode 100644 md_catalogs/cis-v8/cisc-6.2.md create mode 100644 md_catalogs/cis-v8/cisc-6.3.md create mode 100644 md_catalogs/cis-v8/cisc-6.4.md create mode 100644 md_catalogs/cis-v8/cisc-6.5.md create mode 100644 md_catalogs/cis-v8/cisc-6.6.md create mode 100644 md_catalogs/cis-v8/cisc-6.7.md create mode 100644 md_catalogs/cis-v8/cisc-6.8.md create mode 100644 md_catalogs/cis-v8/cisc-6.md diff --git a/md_catalogs/cis-v8/cisc-1.1.md b/md_catalogs/cis-v8/cisc-1.1.md new file mode 100644 index 0000000..0a1472f --- /dev/null +++ b/md_catalogs/cis-v8/cisc-1.1.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-01.01 +--- + +# cisc-1.1 - \[\] Establish and Maintain Detailed Enterprise Asset Inventory + +## Control Statement + +Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-1.2.md b/md_catalogs/cis-v8/cisc-1.2.md new file mode 100644 index 0000000..e3a835f --- /dev/null +++ b/md_catalogs/cis-v8/cisc-1.2.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-01.02 +--- + +# cisc-1.2 - \[\] Address Unauthorized Assets + +## Control Statement + +Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. diff --git a/md_catalogs/cis-v8/cisc-1.3.md b/md_catalogs/cis-v8/cisc-1.3.md new file mode 100644 index 0000000..a9aa470 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-1.3.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-01.03 +--- + +# cisc-1.3 - \[\] Utilize an Active Discovery Tool + +## Control Statement + +Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-1.4.md b/md_catalogs/cis-v8/cisc-1.4.md new file mode 100644 index 0000000..46be9ba --- /dev/null +++ b/md_catalogs/cis-v8/cisc-1.4.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-01.04 +--- + +# cisc-1.4 - \[\] Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory + +## Control Statement + +Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-1.5.md b/md_catalogs/cis-v8/cisc-1.5.md new file mode 100644 index 0000000..ba47989 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-1.5.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-01.05 +--- + +# cisc-1.5 - \[\] Use a Passive Asset Discovery Tool + +## Control Statement + +Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-1.md b/md_catalogs/cis-v8/cisc-1.md new file mode 100644 index 0000000..ae006e5 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-1.md @@ -0,0 +1,22 @@ +--- +x-trestle-global: + sort-id: cisc-01 +--- + +# cisc-1 - \[\] Inventory and Control of Enterprise Assets + +## Control Statement + +Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure, physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate. + +## Control guidance + +Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery. Enterprises should know what data is critical to them, and proper asset management will help identify those enterprise assets that hold or manage this critical data, so appropriate security controls can be applied. + +External attackers are continuously scanning the internet address space of target enterprises, premise-based or in the cloud, identifying possibly unprotected assets attached to enterprises’ networks. Attackers can take advantage of new assets that are installed, yet not securely configured and patched. Internally, unidentified assets can also have weak security configurations that can make them vulnerable to web or email-based malware; and adversaries can leverage weak security configurations for traversing the network, once they are inside. + +Additional assets that connect to the enterprise’s network (e.g., demonstration systems, temporary test systems, guest networks, etc.) should be identified and/or isolated, in order to prevent adversarial access from affecting the security of enterprise operations. + +Large, complex, dynamic enterprises understandably struggle with the challenge of managing intricate, fast-changing environments. However, attackers have shown the ability, patience, and willingness to “inventory and control” our enterprise assets at very large scale in order to support their opportunities. + +Another challenge is that portable end-user devices will periodically join a network and then disappear, making the inventory of currently available assets very dynamic. Likewise, cloud environments and virtual machines can be difficult to track in asset inventories when they are shut down or paused. Another benefit of complete enterprise asset management is supporting incident response. Both when investigating the origination of network traffic from an asset on the network, and to be able to identify all potentially vulnerable, or impacted, assets of similar type or location during an incident. diff --git a/md_catalogs/cis-v8/cisc-2.1.md b/md_catalogs/cis-v8/cisc-2.1.md new file mode 100644 index 0000000..9daf729 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.1.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.01 +--- + +# cisc-2.1 - \[\] Establish and Maintain a Software Inventory + +## Control Statement + +Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-2.2.md b/md_catalogs/cis-v8/cisc-2.2.md new file mode 100644 index 0000000..efffc44 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.2.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.02 +--- + +# cisc-2.2 - \[\] Ensure Authorized Software is Currently Supported + +## Control Statement + +Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-2.3.md b/md_catalogs/cis-v8/cisc-2.3.md new file mode 100644 index 0000000..28800c2 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.3.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.03 +--- + +# cisc-2.3 - \[\] Address Unauthorized Software + +## Control Statement + +Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-2.4.md b/md_catalogs/cis-v8/cisc-2.4.md new file mode 100644 index 0000000..1a1f8b9 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.4.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.04 +--- + +# cisc-2.4 - \[\] Utilize Automated Software Inventory Tools + +## Control Statement + +Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. diff --git a/md_catalogs/cis-v8/cisc-2.5.md b/md_catalogs/cis-v8/cisc-2.5.md new file mode 100644 index 0000000..babd0aa --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.5.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.05 +--- + +# cisc-2.5 - \[\] Allowlist Authorized Software + +## Control Statement + +Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-2.6.md b/md_catalogs/cis-v8/cisc-2.6.md new file mode 100644 index 0000000..79c38ff --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.6.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.06 +--- + +# cisc-2.6 - \[\] Allowlist Authorized Libraries + +## Control Statement + +Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-2.7.md b/md_catalogs/cis-v8/cisc-2.7.md new file mode 100644 index 0000000..f835e47 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.7.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-02.07 +--- + +# cisc-2.7 - \[\] Allowlist Authorized Scripts + +## Control Statement + +Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-2.md b/md_catalogs/cis-v8/cisc-2.md new file mode 100644 index 0000000..ba7f05a --- /dev/null +++ b/md_catalogs/cis-v8/cisc-2.md @@ -0,0 +1,18 @@ +--- +x-trestle-global: + sort-id: cisc-02 +--- + +# cisc-2 - \[\] Inventory and Control of Software Assets + +## Control Statement + +Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. + +## Control guidance + +A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations. + +Even if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released. Some sophisticated attackers use “zero-day exploits”, which take advantage of previously unknown vulnerabilities that have yet to have a patch released by the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released. + +Management of software assets is also important to identify unnecessary security risks. An enterprise should review their software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure. diff --git a/md_catalogs/cis-v8/cisc-3.1.md b/md_catalogs/cis-v8/cisc-3.1.md new file mode 100644 index 0000000..b3b2029 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.1.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.01 +--- + +# cisc-3.1 - \[\] Establish and Maintain a Data Management Process + +## Control Statement + +Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. diff --git a/md_catalogs/cis-v8/cisc-3.10.md b/md_catalogs/cis-v8/cisc-3.10.md new file mode 100644 index 0000000..eab9847 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.10.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.10 +--- + +# cisc-3.10 - \[\] Encrypt Sensitive Data in Transit + +## Control Statement + +Encrypt sensitive data in transit. Example implementations can include, Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). diff --git a/md_catalogs/cis-v8/cisc-3.11.md b/md_catalogs/cis-v8/cisc-3.11.md new file mode 100644 index 0000000..e8ea047 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.11.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.11 +--- + +# cisc-3.11 - \[\] Encrypt Sensitive Data At Rest + +## Control Statement + +Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. diff --git a/md_catalogs/cis-v8/cisc-3.12.md b/md_catalogs/cis-v8/cisc-3.12.md new file mode 100644 index 0000000..f16fa28 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.12.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.12 +--- + +# cisc-3.12 - \[\] Segment Data Processing and Storage Based on Sensitivity + +## Control Statement + +Segment data processing and storage, based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data. diff --git a/md_catalogs/cis-v8/cisc-3.13.md b/md_catalogs/cis-v8/cisc-3.13.md new file mode 100644 index 0000000..2bcf08c --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.13.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.13 +--- + +# cisc-3.13 - \[\] Segment Data Processing and Storage Based on Sensitivity + +## Control Statement + +Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise’s sensitive data inventory. diff --git a/md_catalogs/cis-v8/cisc-3.14.md b/md_catalogs/cis-v8/cisc-3.14.md new file mode 100644 index 0000000..88c2ba8 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.14.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.14 +--- + +# cisc-3.14 - \[\] Log Sensitive Data Access + +## Control Statement + +Log sensitive data access, including modification and disposal. diff --git a/md_catalogs/cis-v8/cisc-3.2.md b/md_catalogs/cis-v8/cisc-3.2.md new file mode 100644 index 0000000..e98766f --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.2.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.02 +--- + +# cisc-3.2 - \[\] Establish and Maintain a Data Inventory + +## Control Statement + +Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data. diff --git a/md_catalogs/cis-v8/cisc-3.3.md b/md_catalogs/cis-v8/cisc-3.3.md new file mode 100644 index 0000000..9e15b76 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.3.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.03 +--- + +# cisc-3.3 - \[\] Configure Data Access Control Lists + +## Control Statement + +Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. diff --git a/md_catalogs/cis-v8/cisc-3.4.md b/md_catalogs/cis-v8/cisc-3.4.md new file mode 100644 index 0000000..47a96a1 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.4.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.04 +--- + +# cisc-3.4 - \[\] Enforce Data Retention + +## Control Statement + +Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines. diff --git a/md_catalogs/cis-v8/cisc-3.5.md b/md_catalogs/cis-v8/cisc-3.5.md new file mode 100644 index 0000000..e1230bb --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.5.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.05 +--- + +# cisc-3.5 - \[\] Securely Dispose of Data + +## Control Statement + +Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity. diff --git a/md_catalogs/cis-v8/cisc-3.6.md b/md_catalogs/cis-v8/cisc-3.6.md new file mode 100644 index 0000000..7a7a9ed --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.6.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.06 +--- + +# cisc-3.6 - \[\] Encrypt Data on End-User Devices + +## Control Statement + +Encrypt data on end-user devices containing sensitive data. Example implementations can include, Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. diff --git a/md_catalogs/cis-v8/cisc-3.7.md b/md_catalogs/cis-v8/cisc-3.7.md new file mode 100644 index 0000000..9404cc7 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.7.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.07 +--- + +# cisc-3.7 - \[\] Establish and Maintain a Data Classification Scheme + +## Control Statement + +Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive”, “Confidential” and “Public”, and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard. diff --git a/md_catalogs/cis-v8/cisc-3.8.md b/md_catalogs/cis-v8/cisc-3.8.md new file mode 100644 index 0000000..98873c9 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.8.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.08 +--- + +# cisc-3.8 - \[\] Document Data Flows + +## Control Statement + +Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise?s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. diff --git a/md_catalogs/cis-v8/cisc-3.9.md b/md_catalogs/cis-v8/cisc-3.9.md new file mode 100644 index 0000000..cda2cc5 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.9.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-03.09 +--- + +# cisc-3.9 - \[\] Encrypt Data on Removable Media + +## Control Statement + +Encrypt data on removable media. diff --git a/md_catalogs/cis-v8/cisc-3.md b/md_catalogs/cis-v8/cisc-3.md new file mode 100644 index 0000000..197b652 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-3.md @@ -0,0 +1,20 @@ +--- +x-trestle-global: + sort-id: cisc-03 +--- + +# cisc-3 - \[\] Data Protection + +## Control Statement + +Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. + +## Control guidance + +Data is no longer only contained within an enterprise’s border, it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services who might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any size, however there are fundamentals that can apply to all. + +Once attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows. + +While many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems. + +The enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and more importantly, is a regulatory requirement for most controlled data. diff --git a/md_catalogs/cis-v8/cisc-4.1.md b/md_catalogs/cis-v8/cisc-4.1.md new file mode 100644 index 0000000..994fa2f --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.1.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.01 +--- + +# cisc-4.1 - \[\] Establish and Maintain a Secure Configuration Process + +## Control Statement + +Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. diff --git a/md_catalogs/cis-v8/cisc-4.10.md b/md_catalogs/cis-v8/cisc-4.10.md new file mode 100644 index 0000000..9d1c606 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.10.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.10 +--- + +# cisc-4.10 - \[\] Enforce Automatic Device Lockout on Portable End-User Devices + +## Control Statement + +Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft? InTune Device Lock and Apple? Configuration Profile maxFailedAttempts. diff --git a/md_catalogs/cis-v8/cisc-4.11.md b/md_catalogs/cis-v8/cisc-4.11.md new file mode 100644 index 0000000..8b7fdf0 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.11.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.11 +--- + +# cisc-4.11 - \[\] Enforce Remote Wipe Capability on Portable End-User Devices + +## Control Statement + +Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise. diff --git a/md_catalogs/cis-v8/cisc-4.12.md b/md_catalogs/cis-v8/cisc-4.12.md new file mode 100644 index 0000000..858e68e --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.12.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.12 +--- + +# cisc-4.12 - \[\] Separate Enterprise Workspaces on Mobile End-User Devices + +## Control Statement + +Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple? Configuration Profile or Android? Work Profile to separate enterprise applications and data from personal applications and data. diff --git a/md_catalogs/cis-v8/cisc-4.2.md b/md_catalogs/cis-v8/cisc-4.2.md new file mode 100644 index 0000000..8be2e7a --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.2.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.02 +--- + +# cisc-4.2 - \[\] Establish and Maintain a Secure Configuration Process for Network Infrastructure + +## Control Statement + +Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. diff --git a/md_catalogs/cis-v8/cisc-4.3.md b/md_catalogs/cis-v8/cisc-4.3.md new file mode 100644 index 0000000..614522d --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.3.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.03 +--- + +# cisc-4.3 - \[\] Configure Automatic Session Locking on Enterprise Assets + +## Control Statement + +Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. diff --git a/md_catalogs/cis-v8/cisc-4.4.md b/md_catalogs/cis-v8/cisc-4.4.md new file mode 100644 index 0000000..e5dfca9 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.4.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.04 +--- + +# cisc-4.4 - \[\] Implement and Manage a Firewall on Servers + +## Control Statement + +Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent. diff --git a/md_catalogs/cis-v8/cisc-4.5.md b/md_catalogs/cis-v8/cisc-4.5.md new file mode 100644 index 0000000..2d5c3bb --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.5.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.05 +--- + +# cisc-4.5 - \[\] Implement and Manage a Firewall on End-User Devices + +## Control Statement + +Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. diff --git a/md_catalogs/cis-v8/cisc-4.6.md b/md_catalogs/cis-v8/cisc-4.6.md new file mode 100644 index 0000000..00d7d00 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.6.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.06 +--- + +# cisc-4.6 - \[\] Securely Manage Enterprise Assets and Software + +## Control Statement + +Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. diff --git a/md_catalogs/cis-v8/cisc-4.7.md b/md_catalogs/cis-v8/cisc-4.7.md new file mode 100644 index 0000000..f5e1e2e --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.7.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.07 +--- + +# cisc-4.7 - \[\] Manage Default Accounts on Enterprise Assets and Software + +## Control Statement + +Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. diff --git a/md_catalogs/cis-v8/cisc-4.8.md b/md_catalogs/cis-v8/cisc-4.8.md new file mode 100644 index 0000000..5866648 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.8.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.08 +--- + +# cisc-4.8 - \[\] Uninstall or Disable Unnecessary Services on Enterprise Assets and Software + +## Control Statement + +Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function. diff --git a/md_catalogs/cis-v8/cisc-4.9.md b/md_catalogs/cis-v8/cisc-4.9.md new file mode 100644 index 0000000..eed625d --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.9.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-04.09 +--- + +# cisc-4.9 - \[\] Configure Trusted DNS Servers on Enterprise Assets + +## Control Statement + +Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. diff --git a/md_catalogs/cis-v8/cisc-4.md b/md_catalogs/cis-v8/cisc-4.md new file mode 100644 index 0000000..be9e2e6 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-4.md @@ -0,0 +1,18 @@ +--- +x-trestle-global: + sort-id: cisc-04 +--- + +# cisc-4 - \[\] Secure Configuration of Enterprise Assets and Software + +## Control Statement + +Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications). + +## Control guidance + +As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-of-use rather than security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and maintained over the life cycle of enterprise assets and software. Configuration updates need to be tracked and approved through configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. This CIS Control is important to on-premises devices, as well as remote devices, network devices, and cloud environments. + +Service providers play a key role in modern infrastructures, especially for smaller enterprises. They often are not set up by default in the most secure configuration to provide flexibility for their customers to apply their own security policies. Therefore, the presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations. These could introduce weaknesses that are under the responsibility of the enterprise that is using the software, rather than the service provider. This extends to ongoing management and updates, as some Platform as a Service (PaaS) only extend to the operating system, so patching and updating hosted applications are under the responsibility of the enterprise. + +Even after a strong initial configuration is developed and applied, it must be continually managed to avoid degrading security as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked,” to allow the installation of new software or to support new operational requirements. diff --git a/md_catalogs/cis-v8/cisc-5.1.md b/md_catalogs/cis-v8/cisc-5.1.md new file mode 100644 index 0000000..cf85318 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.1.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-05.01 +--- + +# cisc-5.1 - \[\] Establish and Maintain an Inventory of Accounts + +## Control Statement + +Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-5.2.md b/md_catalogs/cis-v8/cisc-5.2.md new file mode 100644 index 0000000..7f80552 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.2.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-05.02 +--- + +# cisc-5.2 - \[\] Use Unique Passwords + +## Control Statement + +Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. diff --git a/md_catalogs/cis-v8/cisc-5.3.md b/md_catalogs/cis-v8/cisc-5.3.md new file mode 100644 index 0000000..33e73e0 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.3.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-05.03 +--- + +# cisc-5.3 - \[\] Disable Dormant Accounts + +## Control Statement + +Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported diff --git a/md_catalogs/cis-v8/cisc-5.4.md b/md_catalogs/cis-v8/cisc-5.4.md new file mode 100644 index 0000000..8937d7a --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.4.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-05.04 +--- + +# cisc-5.4 - \[\] Restrict Administrator Privileges to Dedicated Administrator Accounts + +## Control Statement + +Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. diff --git a/md_catalogs/cis-v8/cisc-5.5.md b/md_catalogs/cis-v8/cisc-5.5.md new file mode 100644 index 0000000..c2ecae4 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.5.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-05.05 +--- + +# cisc-5.5 - \[\] Establish and Maintain an Inventory of Service Accounts + +## Control Statement + +Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-5.6.md b/md_catalogs/cis-v8/cisc-5.6.md new file mode 100644 index 0000000..316b648 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.6.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-05.06 +--- + +# cisc-5.6 - \[\] Centralize Account Management + +## Control Statement + +Centralize account management through a directory or identity service. diff --git a/md_catalogs/cis-v8/cisc-5.md b/md_catalogs/cis-v8/cisc-5.md new file mode 100644 index 0000000..56b941d --- /dev/null +++ b/md_catalogs/cis-v8/cisc-5.md @@ -0,0 +1,18 @@ +--- +x-trestle-global: + sort-id: cisc-05 +--- + +# cisc-5 - \[\] Account Management + +## Control Statement + +Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. + +## Control guidance + +It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public password dump), social engineering a user to give their password, or using malware to capture passwords or tokens in memory or over the network. + +Administrative, or highly privileged, accounts are a particular target, because they allow attackers to add other accounts, or make changes to assets that could make them more vulnerable to other attacks. Service accounts are also sensitive, as they are often shared among teams, internal and external to the enterprise, and sometimes not known about, only to be revealed in standard account management audits. + +Finally, account logging and monitoring is a critical component of security operations. While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is important in the development of a comprehensive Identity and Access Management (IAM) program. diff --git a/md_catalogs/cis-v8/cisc-6.1.md b/md_catalogs/cis-v8/cisc-6.1.md new file mode 100644 index 0000000..7f0d7d9 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.1.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.01 +--- + +# cisc-6.1 - \[\] Establish an Access Granting Process + +## Control Statement + +Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. diff --git a/md_catalogs/cis-v8/cisc-6.2.md b/md_catalogs/cis-v8/cisc-6.2.md new file mode 100644 index 0000000..96272f0 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.2.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.02 +--- + +# cisc-6.2 - \[\] Establish an Access Revoking Process + +## Control Statement + +Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. diff --git a/md_catalogs/cis-v8/cisc-6.3.md b/md_catalogs/cis-v8/cisc-6.3.md new file mode 100644 index 0000000..5339a31 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.3.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.03 +--- + +# cisc-6.3 - \[\] Require MFA for Externally-Exposed Applications + +## Control Statement + +Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. diff --git a/md_catalogs/cis-v8/cisc-6.4.md b/md_catalogs/cis-v8/cisc-6.4.md new file mode 100644 index 0000000..6ad4eda --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.4.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.04 +--- + +# cisc-6.4 - \[\] Require MFA for Remote Network Access + +## Control Statement + +Require MFA for remote network access. diff --git a/md_catalogs/cis-v8/cisc-6.5.md b/md_catalogs/cis-v8/cisc-6.5.md new file mode 100644 index 0000000..a04c62a --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.5.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.05 +--- + +# cisc-6.5 - \[\] Require MFA for Administrative Access + +## Control Statement + +Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider. diff --git a/md_catalogs/cis-v8/cisc-6.6.md b/md_catalogs/cis-v8/cisc-6.6.md new file mode 100644 index 0000000..ee9a4d1 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.6.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.06 +--- + +# cisc-6.6 - \[\] Establish and Maintain an Inventory of Authentication and Authorization Systems + +## Control Statement + +Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-6.7.md b/md_catalogs/cis-v8/cisc-6.7.md new file mode 100644 index 0000000..07464a0 --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.7.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.07 +--- + +# cisc-6.7 - \[\] Centralize Access Control + +## Control Statement + +Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. diff --git a/md_catalogs/cis-v8/cisc-6.8.md b/md_catalogs/cis-v8/cisc-6.8.md new file mode 100644 index 0000000..9db5e9e --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.8.md @@ -0,0 +1,10 @@ +--- +x-trestle-global: + sort-id: cisc-06.08 +--- + +# cisc-6.8 - \[\] Centralize Access Control + +## Control Statement + +Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. diff --git a/md_catalogs/cis-v8/cisc-6.md b/md_catalogs/cis-v8/cisc-6.md new file mode 100644 index 0000000..c854b3a --- /dev/null +++ b/md_catalogs/cis-v8/cisc-6.md @@ -0,0 +1,18 @@ +--- +x-trestle-global: + sort-id: cisc-06 +--- + +# cisc-6 - \[\] Access Control Management + +## Control Statement + +Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. + +## Control guidance + +Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on managing what access these accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal. + +There are some user activities that pose greater risk to an enterprise, either because they are accessed from untrusted networks, or performing administrator functions that allow the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them less secure. This also enforces the importance of using MFA and Privileged Access Management (PAM) tools. + +Some users have access to enterprise assets or data they do not need for their role; this might be due to an immature process that gives all users all access, or lingering access as users change roles within the enterprise over time. Local administrator privileges to users’ laptops is also an issue, as any malicious code installed or downloaded by the user can have greater impact on the enterprise asset running as administrator. User, administrator, and service account access should be based on enterprise role and need. From eb8e76f75646eaa7a56ea31e0c1900091ecd9812 Mon Sep 17 00:00:00 2001 From: "semantic-release (via TravisCI)" Date: Wed, 19 Feb 2025 17:07:43 -0500 Subject: [PATCH 13/14] fix: change script name --- scripts/automation/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/automation/release.sh b/scripts/automation/release.sh index c70cd96..84f395b 100755 --- a/scripts/automation/release.sh +++ b/scripts/automation/release.sh @@ -2,7 +2,7 @@ version_tag=$(semantic-release print-version) echo "Bumping version of profiles to ${version_tag}" export VERSION_TAG="$version_tag" echo "VERSION_TAG=${VERSION_TAG}" >> $GITHUB_ENV -./scripts/automation/assemble_profiles.sh $version_tag +./scripts/automation/assemble_catalogs.sh $version_tag git config --global user.email "automation@example.com" git config --global user.name "Automation Bot" semantic-release publish \ No newline at end of file From 7f8bf2c93f8a1cd137362d40309f50e86ae0a4a3 Mon Sep 17 00:00:00 2001 From: "semantic-release (via TravisCI)" Date: Wed, 19 Feb 2025 17:15:11 -0500 Subject: [PATCH 14/14] fix: update script name --- scripts/automation/update_profile.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/automation/update_profile.sh b/scripts/automation/update_profile.sh index 463630b..3a11ff2 100755 --- a/scripts/automation/update_profile.sh +++ b/scripts/automation/update_profile.sh @@ -16,7 +16,7 @@ else echo "Nothing to commit" else git commit -m "$COMMIT_TITLE" - remote=https://$GIT_TOKEN@github.com/ComplianceAsCode/ocp-oscal-profiles + remote=https://$GITHUB_TOKEN@github.com/oscal-compass/e2e-demo-cac-profile-cis git push -u "$remote" "catalogs_autoupdate_$GITHUB_RUN_ID" echo $COMMIT_BODY gh pr create -t "$COMMIT_TITLE" -b "$COMMIT_BODY" -B "develop" -H "catalogs_autoupdate_$GITHUB_RUN_ID"