addressing these through future enhancements to the product. 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) Notes RKE is using the kubelet's ability to automatically create self-signed certs. No CA cert is saved to verify [0].Args[] | match("--kubelet-certificate-authority=.*").string' Returned Value: none Result: Fail (See Mitigation) 1.1.22 - Ensure that the --kubelet-client-certificate and -- kubelet-client-key

○ As of Istio 1.7.7+, 1.8.2+ and 1.9.0+ there is no longer the restriction that a plugged in CA certificate must use ECC cryptography (using ECDSA P-256) to use this feature ● Only ECDSA P-256 is supported certificateChain.inlineBytes' | \ sed 's/"//g' | base64 --decode | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: … Signature Algorithm: prime256v1 NIST CURVE: P-256 istiod will generate a self-signed CA certificate using RSA if plugged in custom CA certificates aren’t specified #IstioCon MeshConfig support In Istio

was created which matched areas of code with specific security controls (e.g. service discovery, certificate lifecycle, side car injection) to focus testing efforts. Istio does not currently have a reference Sidecar Envoy Administrative Interface Exposed To Workload Containers 018 Low DestinationRules Without CA Certificates Field Do Not Validate Certificates 019 Low Default Injected Init Container Requires Sensitive but the only options included are how to “Harden Docker Container Images” and “Extending Self-Signed Certificate Lifetime”. There’s an op- portunity to highlight the impact of different securty options

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration

Additions, the code signing certificates used to sign the drivers needs to be installed in the correct certificate stores on the guest operating system. Failure to do this will cause a typical Windows installation vbox*.cer --root vbox*.cer This command installs the certificates to the certificate store. When installing the same certificate more than once, an appropriate error will be displayed. To allow for completely acts as a hardware 3D driver and reports to the guest operating system that the virtual hardware is ca- pable of 3D hardware acceleration. When an application in the guest then requests hardware acceleration