is set to root:root (Automated) 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Automated) 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root --kubelet-client-certificate=/etc/kubernetes/ssl/kube- apiserver.pem --proxy-client-cert-file=/etc/kubernetes/ssl/ kube-apiserver-proxy-client.pem --service-cluster-ip- range=10.43.0.0/16 --tls-cert-fil --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider= --etcd- prefix=/registry --proxy-client-key-file=/etc/kubernetes/ssl/ kube-apiserver-proxy-client-key.pem --allow-privileged=true

pem -rw------- 1 root root 1679 Jul 1 19:53 kube-apiserver-proxy-client-key.pem -rw-r--r-- 1 root root 1107 Jul 1 19:53 kube-apiserver-proxy-client.pem -rw------- 1 root root 1675 Jul 1 19:53 kube-a 1 19:53 kube-node.pem -rw------- 1 root root 1679 Jul 1 19:53 kube-proxy-key.pem -rw-r--r-- 1 root root 1046 Jul 1 19:53 kube-proxy.pem -rw------- 1 root root 1679 Jul 1 19:53 kube-scheduler-key.pem - %a" /etc/kubernetes/ssl/*.pem |grep -v key Returned Value: /etc/kubernetes/ssl/kube-apiserver-proxy-client.pem - 644 /etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem - 644 /etc/kubernetes/ssl/kube-apiserver

service. All configuration is passed in as arguments at container run time. 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) Result: PASS Remediation: /etc/kubernetes/ssl/kubecfg-kube-proxy.yaml Audit: /bin/sh -c 'if test -e /etc/kubernetes/ssl/kubecfg-kube- proxy.yaml; then stat -c %a /etc/kubernetes/ssl/kubecfg-kube- proxy.yaml; fi' CIS Benchmark Rancher '444' is present OR '440' is present OR '400' is present OR '000' is present 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) Result: PASS Remediation: Run the below command

service. All configuration is passed in as arguments at container run time. 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) Result: PASS Remediation: /etc/kubernetes/ssl/kubecfg-kube-proxy.yaml Audit: /bin/sh -c 'if test -e /etc/kubernetes/ssl/kubecfg-kube- proxy.yaml; then stat -c %a /etc/kubernetes/ssl/kubecfg-kube- proxy.yaml; fi' CIS 1.5 Benchmark '444' is present OR '440' is present OR '400' is present OR '000' is present 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) Result: PASS Remediation: Run the below command

kube-system kube-proxy-rke2-a1 1/1 Running 0 17h 172.16.0.12 rke2-a1 kube-system kube-proxy-rke2-a2 0 17h 172.16.0.13 rke2-a2 kube-system kube-proxy-rke2-s1 1/1 Running 0 17h 172.16.0.11 kube-system kube-proxy-rke2-a1 1/1 Running 0 17h 172.16.0.12 rke2-a1 kube-system kube-proxy-rke2-a2

kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-buffer-size: 16k nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" nginx.ingress.kubernetes.io/proxy-read-timeout: t: "1800" nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" name: vsystem 16 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere spec: rules: - host:

Technical Architecture 2.1.2 OpenShift 17 2.1.3 Rancher The Rancher Server consists of Authentication Proxy, Rancher API Server, Cluster Controller, etcd node, and Cluster Agent. All the components are deployed

namespace: kube-system addons_include: [] system_images: etcd: "" alpine: "" nginx_proxy: "" cert_downloader: "" kubernetes_services_sidecar: "" kubedns: "" dnsmasq: "" kubedns_sidecar:

addons_include: [] system_images: Hardening Guide v2.4 12 etcd: "" alpine: "" nginx_proxy: "" cert_downloader: "" kubernetes_services_sidecar: "" kubedns: "" dnsmasq: "" kubedns_sidecar:

Linux workstation are VMs configured with SLES15 SP2 operating system. The RMT server acts as a proxy server to SUSE customer center with repositories. It helps the customers with SUSE Linux Enterprise