Kubernetes System Assessment Results - DORA

Results Information

UUID ce783bd8-7d8e-4214-9c04-cb2531c89791

Regulation EU DORA

Assessment Scope host-assessment

Subject Count 4

Result Summary partial-pass-with-findings

Version 1.0

Last Modified 2026-05-09 08:16:56.922364+00:00

OSCAL Version 1.2.1

Referenced Assessment Plan

Assessment Plan Location: ../assessment-plans/Kubernetes-System-ap-dora/assessment-plan.json

Assessment Activities

Mapped XCCDF evidence analysis

XCCDF rule results were normalized and mapped to EU DORA control identifiers.

1. Parse XCCDF rule results Collected rule pass/fail results for all 10 Ubuntu servers.

2. Map rules to controls Used component definition implemented-requirement Rule_Id properties to associate evidence with controls.

Assessment Result Sets

EU DORA assessment execution results

Assessment results for 10 inventory items evaluated against EU DORA using mapped XCCDF evidence.

Start: 2026-04-09 08:16:56.922364+00:00 End: 2026-05-09 08:16:56.922364+00:00

Remarks: Assessment results generated from XCCDF scan data for 10 servers with 17 controls evaluated.

Reviewed Controls

ac-2: partially-satisfied (10 pass / 6 fail rule evaluations)

ac-3: partially-satisfied (15 pass / 1 fail rule evaluations)

ac-6: partially-satisfied (4 pass / 0 fail rule evaluations, 45% coverage)

au-2: partially-satisfied (4 pass / 2 fail rule evaluations, 45% coverage)

au-6.4: partially-satisfied (6 pass / 6 fail rule evaluations)

cm-2: satisfied (12 pass / 0 fail rule evaluations)

cm-6: partially-satisfied (7 pass / 0 fail rule evaluations, 40% coverage)

cm-7: partially-satisfied (12 pass / 4 fail rule evaluations)

ia-5: partially-satisfied (14 pass / 2 fail rule evaluations)

sc-13: partially-satisfied (5 pass / 0 fail rule evaluations, 35% coverage)

sc-23: partially-satisfied (13 pass / 3 fail rule evaluations)

sc-28: partially-satisfied (4 pass / 0 fail rule evaluations, 40% coverage)

sc-7: partially-satisfied (4 pass / 0 fail rule evaluations, 30% coverage)

sc-8: partially-satisfied (7 pass / 1 fail rule evaluations, 35% coverage)

si-2: partially-satisfied (3 pass / 0 fail rule evaluations, 30% coverage)

si-4: partially-satisfied (8 pass / 4 fail rule evaluations)

si-7: partially-satisfied (11 pass / 1 fail rule evaluations)

Assessment Log

XCCDF scans executed

Executed security compliance scans on 10 inventory items.

Start: 2026-04-09 08:16:56.922364+00:00 End: 2026-04-10 08:16:56.922364+00:00

Control mapping analysis completed

Mapped rule-level evidence to control identifiers using component definitions and regulatory mappings.

Start: 2026-05-08 08:16:56.922364+00:00 End: 2026-05-09 08:16:56.922364+00:00

Observations (17)

Control ac-2 assessment outcome

Control ac-2 is partially-satisfied based on 10 passing and 6 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_anonymous_auth, control_plane_api_server_basic_auth, control_plane_api_server_token_auth, worker_node_kubelet_anonymous_auth

Control ac-3 assessment outcome

Control ac-3 is partially-satisfied based on 15 passing and 1 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_authorization_mode, control_plane_api_server_authorization_mode_node, control_plane_api_server_authorization_mode_rbac, worker_node_kubelet_authorization_mode

Control ac-6 assessment outcome

Control ac-6 is partially-satisfied based on 4 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects with 45% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_admission_control_plugin_always_admit, control_plane_api_server_admission_control_plugin_security_context_deny, pod_security_policy_enabled

Control au-2 assessment outcome

Control au-2 is partially-satisfied based on 4 passing and 2 failing mapped XCCDF rule evaluations across 4 assessed subjects with 45% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_audit_log_maxage, control_plane_api_server_audit_log_maxbackup, control_plane_api_server_audit_log_maxsize, control_plane_api_server_audit_log_path

Control au-6.4 assessment outcome

Control au-6.4 is partially-satisfied based on 6 passing and 6 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_audit_log_maxage, control_plane_api_server_audit_log_maxbackup, control_plane_api_server_audit_log_path

Control cm-2 assessment outcome

Control cm-2 is satisfied based on 12 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: worker_node_kubelet_hostname_override, worker_node_kubelet_make_iptables_util_chains, worker_node_kubelet_protect_kernel_defaults

Control cm-6 assessment outcome

Control cm-6 is partially-satisfied based on 7 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects with 40% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_insecure_port, control_plane_api_server_profiling, control_plane_api_server_secure_port, control_plane_controller_manager_profiling, control_plane_scheduler_profiling

Control cm-7 assessment outcome

Control cm-7 is partially-satisfied based on 12 passing and 4 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_admission_control_plugin_namespace_lifecycle, control_plane_api_server_admission_control_plugin_node_restriction, control_plane_api_server_admission_control_plugin_pod_security_policy, network_policy_enabled

Control ia-5 assessment outcome

Control ia-5 is partially-satisfied based on 14 passing and 2 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_client_ca_file, control_plane_api_server_kubelet_certificate_authority, control_plane_api_server_kubelet_client_certificate, worker_node_kubelet_client_ca_file

Control sc-13 assessment outcome

Control sc-13 is partially-satisfied based on 5 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects with 35% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_encryption_provider_config, control_plane_api_server_tls_cipher_suites, etcd_client_cert_auth, etcd_peer_client_cert_auth

Control sc-23 assessment outcome

Control sc-23 is partially-satisfied based on 13 passing and 3 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_admission_control_plugin_service_account, control_plane_api_server_service_account_key_file, control_plane_api_server_service_account_lookup, control_plane_controller_manager_service_account_private_key_file

Control sc-28 assessment outcome

Control sc-28 is partially-satisfied based on 4 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects with 40% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: etcd_auto_tls, etcd_peer_auto_tls, etcd_unique_ca

Control sc-7 assessment outcome

Control sc-7 is partially-satisfied based on 4 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects with 30% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_etcd_cafile, control_plane_controller_manager_bind_address, control_plane_scheduler_bind_address, worker_node_kubelet_read_only_port

Control sc-8 assessment outcome

Control sc-8 is partially-satisfied based on 7 passing and 1 failing mapped XCCDF rule evaluations across 4 assessed subjects with 35% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_etcd_certfile, control_plane_api_server_kubelet_https, control_plane_api_server_tls_cert_file, etcd_cert_file, etcd_peer_cert_file, worker_node_kubelet_tls_cert_file

Control si-2 assessment outcome

Control si-2 is partially-satisfied based on 3 passing and 0 failing mapped XCCDF rule evaluations across 4 assessed subjects with 30% mapping coverage (partial coverage = partially-satisfied).

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_controller_manager_root_ca_file, control_plane_controller_manager_terminated_pod_gc_threshold, control_plane_controller_manager_use_service_account_credentials

Control si-4 assessment outcome

Control si-4 is partially-satisfied based on 8 passing and 4 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_request_timeout, worker_node_kubelet_event_qps, worker_node_kubelet_streaming_connection_idle_timeout

Control si-7 assessment outcome

Control si-7 is partially-satisfied based on 11 passing and 1 failing mapped XCCDF rule evaluations across 4 assessed subjects.

TEST finding Subjects: 4

Collected: 2026-05-09 08:16:56.922364+00:00

Evidence: Mapped rules: control_plane_api_server_admission_control_plugin_always_pull_images, control_plane_controller_manager_feature_gates_rotate_kubelet_server_certificate, worker_node_kubelet_rotate_certificates