chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir.sh /node/etc/kubernetes/ssl Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This script is chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/!(*key).pe m Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This on the master node. For example, chmod -R 600 /etc/ kubernetes/ssl/*key.pem Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/*key.pem 600 Expected Result: 'true' is equal to 'true' Audit

match("--kubelet-client-certificate=.*").string' Returned Value: --kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem Audit ( --kubelet-client-key ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-client-key=.*").string' Returned Value: --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Pass 1.1.23 Ensure that the --service-account-lookup argument is match("--service-account-key-file=.*").string' Returned Value: --service-account-key-file=/etc/kubernetes/ssl/kube-service-account- token-key.pem Result: Pass 1.1.26 - Ensure that the --etcd-certfile and

Security (SSL) #security.protocol=SSL # SSL truststore location (Kafka broker) and password #ssl.truststore.location=${karaf.etc}/keystores/keystore.jks #ssl.truststore.password=karaf # SSL keystore (if is required) #ssl.keystore.location=${karaf.etc}/keystores/clientstore.jks #ssl.keystore.password=karaf #ssl.key.password=karaf # (Optional) SSL provider (default uses the JVM one) #ssl.provider= # (Optional) (Optional) SSL Cipher suites #ssl.cipher.suites= # (Optional) SSL Protocols enabled (default is TLSv1.2,TLSv1.1,TLSv1) #ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 The configuration is similar to the

Security (SSL) #security.protocol=SSL # SSL truststore location (Kafka broker) and password #ssl.truststore.location=${karaf.etc}/keystores/keystore.jks #ssl.truststore.password=karaf # SSL keystore (if is required) #ssl.keystore.location=${karaf.etc}/keystores/clientstore.jks #ssl.keystore.password=karaf #ssl.key.password=karaf # (Optional) SSL provider (default uses the JVM one) #ssl.provider= # (Optional) (Optional) SSL Cipher suites #ssl.cipher.suites= # (Optional) SSL Protocols enabled (default is TLSv1.2,TLSv1.1,TLSv1) #ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1 # (Optional) SSL Truststore type (default

system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions

system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions

oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt- v3.1.1-os.html], and supports four access methods: TCP, SSL, WS, and WSS; The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS certificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement capabilities for all services. Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: Support Connect, Disconnect

oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt- v3.1.1-os.html], and supports four access methods: TCP, SSL, WS, and WSS; The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS certificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement capabilities for all services. Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: Support Connect, Disconnect

subscription and publishing functions based on the MQTT protocol, and supports four access methods: TCP, SSL, WS, and WSS; • The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS cer- tificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement Modules 17 BAETYL Documentation Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: • Support Connect, Disconnect

subscription and publishing functions based on the MQTT protocol, and supports four access methods: TCP, SSL, WS, and WSS; • The official module baetyl-remote-mqtt is used to bridge two MQTT Servers for message MQTT and HTTPS channels. MQTT enforces two-way authentication for SSL/TLS cer- tificates. HTTPS enforces one-way authentication for SSL/TLS certificates. Developers can refer to this module to implement Modules 17 BAETYL Documentation Currently supports 4 access methods: TCP, SSL (TCP + SSL), WS (Websocket) and WSS (Websocket + SSL). The MQTT protocol support is as follows: • Support Connect, Disconnect