mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-01-04 12:50:53 +00:00
784 lines
33 KiB
YAML
784 lines
33 KiB
YAML
|
---
|
||
|
controls:
|
||
|
version: "cis-1.6-k3s"
|
||
|
id: 1
|
||
|
text: "Master Node Security Configuration"
|
||
|
type: "master"
|
||
|
groups:
|
||
|
- id: 1.1
|
||
|
text: "Master Node Configuration Files"
|
||
|
checks:
|
||
|
- id: 1.1.1
|
||
|
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.2
|
||
|
text: "Ensure that the API server pod specification file ownership is set to root:root (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.3
|
||
|
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.4
|
||
|
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.5
|
||
|
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.6
|
||
|
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.7
|
||
|
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.8
|
||
|
text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.9
|
||
|
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.10
|
||
|
text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.11
|
||
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive if etcd is used (Automated)"
|
||
|
audit: stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "permissions"
|
||
|
compare:
|
||
|
op: bitmask
|
||
|
value: "700"
|
||
|
remediation: |
|
||
|
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
|
||
|
from the below command:
|
||
|
journalctl -u k3s | grep 'Managed etcd' | grep -v grep
|
||
|
Run the below command (based on the etcd data directory found above). For example,
|
||
|
chmod 700 /var/lib/rancher/k3s/server/db/etcd
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.12
|
||
|
text: "Ensure that the etcd data directory ownership is set to etcd:etcd if etcd is used (Not Applicable)"
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.1.13
|
||
|
text: "Ensure that the admin.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
|
||
|
audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "permissions"
|
||
|
compare:
|
||
|
op: bitmask
|
||
|
value: "644"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the k3s node.
|
||
|
For example,
|
||
|
chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.14
|
||
|
text: "Ensure that the admin.kubeconfig file ownership is set to root:root (Automated)"
|
||
|
audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "root:root"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the k3s node.
|
||
|
For example,
|
||
|
chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.15
|
||
|
text: "Ensure that the scheduler.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
|
||
|
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "permissions"
|
||
|
compare:
|
||
|
op: bitmask
|
||
|
value: "644"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the k3s node.
|
||
|
For example,
|
||
|
chmod 644 $schedulerkubeconfig
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.16
|
||
|
text: "Ensure that the scheduler.kubeconfig file ownership is set to root:root (Automated)"
|
||
|
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "root:root"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the k3s node.
|
||
|
For example,
|
||
|
chown root:root $schedulerkubeconfig
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.17
|
||
|
text: "Ensure that the cloud-controller.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
|
||
|
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "permissions"
|
||
|
compare:
|
||
|
op: bitmask
|
||
|
value: "644"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the master node.
|
||
|
For example,
|
||
|
chmod 644 $controllermanagerkubeconfig
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.18
|
||
|
text: "Ensure that the $controllermanagerkubeconfig file ownership is set to root:root (Automated)"
|
||
|
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "root:root"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the master node.
|
||
|
For example,
|
||
|
chown root:root $controllermanagerkubeconfig
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.19
|
||
|
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
|
||
|
audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls"
|
||
|
use_multiple_values: true
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "root:root"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the k3s node.
|
||
|
For example,
|
||
|
chown -R root:root /var/lib/rancher/k3s/server/tls
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.20
|
||
|
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated)"
|
||
|
audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.crt' | xargs stat -c permissions=%a"
|
||
|
use_multiple_values: true
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "permissions"
|
||
|
compare:
|
||
|
op: bitmask
|
||
|
value: "644"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the master node.
|
||
|
For example,
|
||
|
chmod -R 644 /var/lib/rancher/k3s/server/tls/*.crt
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.1.21
|
||
|
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
|
||
|
audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.key' | xargs stat -c permissions=%a"
|
||
|
use_multiple_values: true
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "permissions"
|
||
|
compare:
|
||
|
op: bitmask
|
||
|
value: "600"
|
||
|
remediation: |
|
||
|
Run the below command (based on the file location on your system) on the master node.
|
||
|
For example,
|
||
|
chmod -R 600 /etc/kubernetes/pki/*.key
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2
|
||
|
text: "API Server"
|
||
|
checks:
|
||
|
- id: 1.2.1
|
||
|
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--anonymous-auth"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: false
|
||
|
remediation: |
|
||
|
By default, K3s kube-apiserver is configured to run with --anonymous-auth=false flag and value.
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.2.2
|
||
|
text: "Ensure that the --basic-auth-file argument is not set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "basic-auth-file"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--basic-auth-file"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.3
|
||
|
text: "Ensure that the --token-auth-file parameter is not set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "token-auth-file"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--token-auth-file"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.4
|
||
|
text: "Ensure that the --kubelet-https argument is set to true (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "token-auth-file"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--kubelet-https"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: true
|
||
|
- flag: "--kubelet-https"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s kube-apiserver doesn't run with the --kubelet-https parameter as it runs with TLS. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.5
|
||
|
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'kubelet-client-certificate|kubelet-client-key'
|
||
|
tests:
|
||
|
bin_op: and
|
||
|
test_items:
|
||
|
- flag: "--kubelet-client-certificate"
|
||
|
- flag: "--kubelet-client-key"
|
||
|
remediation: |
|
||
|
By default, K3s kube-apiserver is ran with these arguments for secure communication with kubelet. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.6
|
||
|
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-certificate-authority"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--kubelet-certificate-authority"
|
||
|
remediation: |
|
||
|
By default, K3s kube-apiserver is ran with this argument for secure communication with kubelet. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.7
|
||
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--authorization-mode"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: "AlwaysAllow"
|
||
|
remediation: |
|
||
|
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.8
|
||
|
text: "Ensure that the --authorization-mode argument includes Node (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--authorization-mode"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "Node"
|
||
|
remediation: |
|
||
|
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.9
|
||
|
text: "Ensure that the --authorization-mode argument includes RBAC (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--authorization-mode"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "RBAC"
|
||
|
remediation: |
|
||
|
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.10
|
||
|
text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "EventRateLimit"
|
||
|
remediation: |
|
||
|
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
|
||
|
To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file.
|
||
|
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.2.11
|
||
|
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: AlwaysAdmit
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
|
||
|
No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.12
|
||
|
text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "AlwaysPullImages"
|
||
|
remediation: |
|
||
|
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
|
||
|
To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file.
|
||
|
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.2.13
|
||
|
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "SecurityContextDeny"
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "PodSecurityPolicy"
|
||
|
remediation: |
|
||
|
K3s would need to have the SecurityContextDeny admission plugin enabled by passing it as an argument to K3s.
|
||
|
--kube-apiserver-arg='enable-admission-plugins=SecurityContextDeny
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.2.14
|
||
|
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "ServiceAccount"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--disable-admission-plugins"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: "ServiceAccount"
|
||
|
- flag: "--disable-admission-plugins"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s does not use this argument.
|
||
|
If there's a desire to use this argument, follow the documentation and create ServiceAccount objects as per your environment.
|
||
|
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.15
|
||
|
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "disable-admission-plugins"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--disable-admission-plugins"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: "NamespaceLifecycle"
|
||
|
- flag: "--disable-admission-plugins"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s does not use this argument. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.16
|
||
|
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "PodSecurityPolicy"
|
||
|
remediation: |
|
||
|
K3s would need to have the PodSecurityPolicy admission plugin enabled by passing it as an argument to K3s.
|
||
|
--kube-apiserver-arg='enable-admission-plugins=PodSecurityPolicy.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.17
|
||
|
text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--enable-admission-plugins"
|
||
|
compare:
|
||
|
op: has
|
||
|
value: "NodeRestriction"
|
||
|
remediation: |
|
||
|
K3s would need to have the NodeRestriction admission plugin enabled by passing it as an argument to K3s.
|
||
|
--kube-apiserver-arg='enable-admission-plugins=NodeRestriction.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.18
|
||
|
text: "Ensure that the --insecure-bind-address argument is not set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--insecure-bind-address"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s explicitly excludes the use of the --insecure-bind-address parameter. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.19
|
||
|
text: "Ensure that the --insecure-port argument is set to 0 (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "insecure-port"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--insecure-port"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: 0
|
||
|
remediation: |
|
||
|
By default, K3s starts the kube-apiserver process with this argument's parameter set to 0. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.20
|
||
|
text: "Ensure that the --secure-port argument is not set to 0 (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "secure-port"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--secure-port"
|
||
|
compare:
|
||
|
op: gt
|
||
|
value: 0
|
||
|
- flag: "--secure-port"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s sets the parameter of 6444 for the --secure-port argument. No manual remediation is needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.21
|
||
|
text: "Ensure that the --profiling argument is set to false (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "profiling"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--profiling"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: false
|
||
|
remediation: |
|
||
|
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.22
|
||
|
text: "Ensure that the --audit-log-path argument is set (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-path"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--audit-log-path"
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-path=/path/to/log/file'
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.23
|
||
|
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxage"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--audit-log-maxage"
|
||
|
compare:
|
||
|
op: gte
|
||
|
value: 30
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxage=30'
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.24
|
||
|
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxbackup"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--audit-log-maxbackup"
|
||
|
compare:
|
||
|
op: gte
|
||
|
value: 10
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxbackup=10'
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.25
|
||
|
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxsize"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--audit-log-maxsize"
|
||
|
compare:
|
||
|
op: gte
|
||
|
value: 100
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxsize=100'
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.26
|
||
|
text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "request-timeout"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--request-timeout"
|
||
|
compare:
|
||
|
op: lte
|
||
|
value: 60
|
||
|
remediation: |
|
||
|
By default, K3s does not set the --request-timeout argument. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.27
|
||
|
text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-lookup"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--service-account-lookup"
|
||
|
set: false
|
||
|
- flag: "--service-account-lookup"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: true
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following argument, --kube-apiserver-arg='service-account-lookup=true'
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.28
|
||
|
text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-key-file"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--service-account-key-file"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --service-account-key-file explicitly. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.29
|
||
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-certfile|etcd-keyfile'
|
||
|
tests:
|
||
|
bin_op: and
|
||
|
test_items:
|
||
|
- flag: "--etcd-certfile"
|
||
|
- flag: "--etcd-keyfile"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --etcd-certfile and --etcd-keyfile arguments explicitly. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.30
|
||
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'tls-cert-file|tls-private-key-file'
|
||
|
tests:
|
||
|
bin_op: and
|
||
|
test_items:
|
||
|
- flag: "--tls-cert-file"
|
||
|
- flag: "--tls-private-key-file"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --tls-cert-file and --tls-private-key-file arguments explicitly. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.31
|
||
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--client-ca-file"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --client-ca-file argument explicitly. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.32
|
||
|
text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-cafile'
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--etcd-cafile"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --etcd-cafile argument explicitly. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.33
|
||
|
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E "encryption-provider-config"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--encryption-provider-config"
|
||
|
remediation: |
|
||
|
K3s server needs to be ran with the follow, --kube-apiserver-arg='encryption-provider-config=/path/to/encryption_config'.
|
||
|
This can be done by running k3s with the --secrets-encryptiuon argument which will configure the encryption provider.
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.2.34
|
||
|
text: "Ensure that encryption providers are appropriately configured (Manual)"
|
||
|
type: manual
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following, --secrets-encryption=true, and verify that one of the allowed encryption providers is present.
|
||
|
Run the below command on the master node.
|
||
|
grep aescbc /path/to/encryption-config.json
|
||
|
Verify that aescbc/kms/secretbox is set as the encryption provider for all the desired resources.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.2.35
|
||
|
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "tls-cipher-suites"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--tls-cipher-suites"
|
||
|
compare:
|
||
|
op: valid_elements
|
||
|
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
||
|
remediation: |
|
||
|
By default, K3s explicitly doesn't set this flag. No manual remediation needed.
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.3
|
||
|
text: "Controller Manager"
|
||
|
checks:
|
||
|
- id: 1.3.1
|
||
|
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
|
||
|
audit: |
|
||
|
journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "terminated-pod-gc-threshold"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--terminated-pod-gc-threshold"
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following, --kube-controller-manager-arg='terminated-pod-gc-threshold=10.
|
||
|
scored: false
|
||
|
|
||
|
- id: 1.3.2
|
||
|
text: "Ensure that the --profiling argument is set to false (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "profiling"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--profiling"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: false
|
||
|
remediation: |
|
||
|
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.3.3
|
||
|
text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "use-service-account-credentials"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--use-service-account-credentials"
|
||
|
compare:
|
||
|
op: noteq
|
||
|
value: false
|
||
|
remediation: |
|
||
|
K3s server needs to be run with the following, --kube-controller-manager-arg='use-service-account-credentials=true'
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.3.4
|
||
|
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "service-account-private-key-file"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--service-account-private-key-file"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --service-account-private-key-file argument with the service account key file. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.3.5
|
||
|
text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "root-ca-file"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--root-ca-file"
|
||
|
remediation: |
|
||
|
By default, K3s sets the --root-ca-file argument with the root ca file. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.3.6
|
||
|
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "RotateKubeletServerCertificate"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--feature-gates"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: "RotateKubeletServerCertificate=false"
|
||
|
set: true
|
||
|
- flag: "--feature-gates"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s implements its own logic for certificate generation and rotation.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.3.7
|
||
|
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--bind-address"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: "127.0.0.1"
|
||
|
- flag: "--bind-address"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.4
|
||
|
text: "Scheduler"
|
||
|
checks:
|
||
|
- id: 1.4.1
|
||
|
text: "Ensure that the --profiling argument is set to false (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-scheduler" | tail -n1 | grep "profiling"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--profiling"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: false
|
||
|
remediation: |
|
||
|
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
|
||
|
scored: true
|
||
|
|
||
|
- id: 1.4.2
|
||
|
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
|
||
|
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--bind-address"
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: "127.0.0.1"
|
||
|
- flag: "--bind-address"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed.
|
||
|
scored: true
|