| 1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 1.1.13 Ensure that the kubeconfig file permissions are set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.11 Ensure that the admission control plugin AlwaysPullImages is not set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 1.2.15 Ensure that the admission control plugin NodeRestriction is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND SERVICES ACQUISITION |
| 1.2.18 Ensure that the --secure-port argument is not set to 0 | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.20 Ensure that the --audit-log-path argument is set | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | AUDIT AND ACCOUNTABILITY |
| 2.2.11 Disable Apache services - Make sure that network/http:apache2 is disabled. | CIS Solaris 10 L1 v5.2 | Unix | |
| 2.7 Ensure that a unique Certificate Authority is used for etcd | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.3 If proxy kube proxy configuration file exists ensure permissions are set to 644 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | ACCESS CONTROL |
| 4.2.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.3 Ensure the maximum failed login attempts is set to 5 | CIS VMware ESXi 6.7 v1.3.0 Level 1 | VMware | ACCESS CONTROL |
| 4.3 Ensure unnecessary packages are not installed in the container | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.1.2 Minimize access to secrets | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.4 Minimize access to create pods | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.1.6 Ensure that Service Account Tokens are only mounted where necessary | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | CONFIGURATION MANAGEMENT |
| 5.3.2 Ensure that all Namespaces have Network Policies defined | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3.3 Ensure password reuse is limited - password-auth | CIS Amazon Linux v2.1.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.3 Ensure password reuse is limited - system-auth | CIS Amazon Linux v2.1.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 6.12 Ensure all HTTP Header Logging options are enabled - X-Forwarded-For | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| 6.12 Ensure all HTTP Header Logging options are enabled - X-Forwarded-For | CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| Apache HTTP Server 2.2.x is installed and running on the system | DISA STIG Apache Server 2.2 Windows v1r13 | Windows | |
| Apache HTTP Server 2.4.x is installed and running on the system | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | |
| Apache HTTP Server 2.4.x is installed and running on the system | DISA STIG Apache Server 2.4 Windows Site v2r1 | Windows | |
| ARST-RT-000560 - The Arista BGP router must be configured to use the maximum prefixes feature to protect against route table flooding and prefix de-aggregation attacks. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| BuildConfigs | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
| CIS_Cisco_IOS_XE_16.x_v2.1.0_L1.audit from CIS Cisco IOS XE 16.x Benchmark v2.1.0 | CIS Cisco IOS XE 16.x v2.1.0 L1 | Cisco | |
| CIS_Cisco_IOS_XE_16.x_v2.1.0_L2.audit from CIS Cisco IOS XE 16.x Benchmark v2.1.0 | CIS Cisco IOS XE 16.x v2.1.0 L2 | Cisco | |
| CIS_Cisco_IOS_XE_17.x_v2.1.0_L1.audit from CIS Cisco IOS XE 17.x Benchmark v2.1.0 | CIS Cisco IOS XE 17.x v2.1.0 L1 | Cisco | |
| CISC-RT-000240 - The Cisco perimeter router must be configured to deny network traffic by default and allow network traffic by exception. | DISA STIG Cisco IOS-XR Router RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| ClusterOperators | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | |
| ConfigMaps | CIS RedHat OpenShift Container Platform v1.6.0 L1 | OpenShift | |
| DISA_STIG_MongoDB_Enterprise_Advanced_3.x_DB_v2r3.audit from DISA MongoDB Enterprise Advanced 3.x v2r3 STIG | DISA STIG MongoDB Enterprise Advanced 3.x v2r3 DB | MongoDB | |
| DISA_STIG_MongoDB_Enterprise_Advanced_4.x_DB_v1r4.audit from DISA MongoDB Enterprise Advanced 4.x v1r4 STIG | DISA STIG MongoDB Enterprise Advanced 4.x v1r4 DB | MongoDB | |
| GEN005180 - All .Xauthority files must have mode 0600 or less permissive. | DISA STIG Solaris 10 SPARC v2r4 | Unix | CONFIGURATION MANAGEMENT |
| GEN005190 - The .Xauthority files must not have extended ACLs. | DISA STIG Solaris 10 SPARC v2r4 | Unix | CONFIGURATION MANAGEMENT |
| ImageStreams | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
| Namespaces | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
| openshift-apiserver | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
| openshift-kube-apiserver | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
| ReplicationControllers | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
| Secrets | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | |
