v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)

server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the controller manager

server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the controller manager

ority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned Value: null Result: 1.1.20 - Ensure that the --token-auth-file parameter is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--token-auth-file=.*").string' Returned Value: null Result:

can not be changed during application OTA. If no error is reported, the baetyl.sock (only on Linux) file is generated in the var/run/ directory. 3. The Master will then attempt to load the application configuration otherwise the list of services and storage volumes in the application configuration will be loaded. This file will be updated during application OTA, and the system will update the services according to the development community has been growing fast, so we encourage developers to submit code. And please file Pull Requests from your fork. To make a fork, please refer to Github page and click on the “Fork”

can not be changed during application OTA. If no error is reported, the baetyl.sock (only on Linux) file is generated in the var/run/ directory. 3. The Master will then attempt to load the application configuration otherwise the list of services and storage volumes in the application configuration will be loaded. This file will be updated during application OTA, and the system will update the services according to the new development community has been growing fast, so we encourage developers to submit code. And please file Pull Requests from your fork. To make a fork, please refer to Github page and click on the “Fork”

can not be changed during application OTA. If no error is reported, the baetyl.sock (only on Linux) file is generated in the var/run/ directory. 3. The Master will then attempt to load the application configuration otherwise the list of services and storage volumes in the application configuration will be loaded. This file will be updated during application OTA, and the system will update the services according to the new development community has been growing fast, so we encourage developers to submit code. And please file Pull Requests from your fork. To make a fork, please refer to Github page and click on the “Fork”

can not be changed during application OTA. If no error is reported, the baetyl.sock (only on Linux) file is generated in the var/run/ directory. 3. The Master will then attempt to load the application configuration otherwise the list of services and storage volumes in the application configuration will be loaded. This file will be updated during application OTA, and the system will update the services according to the development community has been growing fast, so we encourage developers to submit code. And please file Pull Requests from your fork. To make a fork, please refer to Github page and click on the “Fork”

............................................................................... 68 Creating JAR file in Eclipse ...................................................................................... .................................................................... 264 Creating Role with Permissions to Work with DynamoDB and AWS Lambda ......................................... 269 Create Function ............................................................. 309 Create Role with Required Permissions ..............................................................................................

Not Hardened 001 Low The Sidecar Does Not Use Apparmor/Seccomp By Default 005 Low Insecure File Permissions Set 007 Low Istio Client-Side Bypasses 014 Low Sidecar Envoy Administrative Interface Exposed to ensure that a downloaded file has the correct content and was not modified or corrupted. If a weak hash is used for this purpose, an attacker could create a malicious file with the same hash as the original 189) // getHashSum is a helper func to calculate sha1 sum. func getHashSum(file string) ([]byte, error) { f, err := os.Open(file) if err != nil { return nil, err } defer f.Close() r := bufio.NewReader(f)