| 1.1.2 Ensure that the API server pod specification file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.5 Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.13 Ensure that the kubeconfig file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.15 Ensure that the Scheduler kubeconfig file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.17 Ensure that the Controller Manager kubeconfig file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.20 Ensure that the OpenShift PKI certificate file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.2 Ensure that the --basic-auth-file argument is not set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 1.2.4 Use https for kubelet connections | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.11 Ensure that the admission control plugin AlwaysPullImages is not set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.12 Ensure that the admission control plugin ServiceAccount is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.13 Ensure that the admission control plugin NamespaceLifecycle is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 1.2.15 Ensure that the admission control plugin NodeRestriction is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND SERVICES ACQUISITION |
| 1.2.18 Ensure that the --secure-port argument is not set to 0 | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.20 Ensure that the --audit-log-path argument is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | AUDIT AND ACCOUNTABILITY |
| 1.2.21 Ensure that the audit logs are forwarded off the cluster for retention | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | AUDIT AND ACCOUNTABILITY |
| 1.2.25 Ensure that the --service-account-lookup argument is set to true | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.29 Ensure that the --client-ca-file argument is set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.31 Ensure that encryption providers are appropriately configured | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.2 Verify that the scheduler API service is protected by RBAC | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Ensure that the --client-cert-auth argument is set to true | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.2 Ensure that the --anonymous-auth argument is set to false | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.5 Verify that the read only port is not used or is set to 0 | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT |
| 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2.11 Verify that the RotateKubeletServerCertificate argument is set to true | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.1.1 Ensure that the cluster-admin role is only used where required | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 5.1.3 Minimize wildcard use in Roles and ClusterRoles | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.1.5 Ensure that default service accounts are not actively used. | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 5.2.1 Minimize the admission of privileged containers | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3.18 Collect Kernel Module Loading and Unloading - /sbin/insmod | CIS Red Hat Enterprise Linux 5 L2 v2.2.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.3.18 Collect Kernel Module Loading and Unloading - /sbin/rmmod | CIS Red Hat Enterprise Linux 5 L2 v2.2.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.4.2 Consider external secret storage | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3.5 Limit Password Reuse - password sufficient pam_unix.o <existing options> remember=5 | CIS Red Hat Enterprise Linux 5 L1 v2.2.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 7.6 Remove the X wrapper and enable xdm | CIS FreeBSD v1.0.5 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-004030 - The on-failure container restart policy must be is set to 5 in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| Number of recent user passwords to store | Tenable Cisco ACI | Cisco_ACI | IDENTIFICATION AND AUTHENTICATION |
| O112-C2-015700 - The DBMS must use NIST-validated FIPS 140-2-compliant cryptography for authentication mechanisms. | DISA STIG Oracle 11.2g v2r5 Linux | Unix | IDENTIFICATION AND AUTHENTICATION |
