mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-30 11:58:11 +00:00
125 lines
5.4 KiB
YAML
125 lines
5.4 KiB
YAML
|
---
|
||
|
controls:
|
||
|
version: "eks-stig-kubernetes-v1r6"
|
||
|
id: 2
|
||
|
text: "Control Plane Configuration"
|
||
|
type: "controlplane"
|
||
|
groups:
|
||
|
- id: 2.1
|
||
|
text: "DISA Category Code I"
|
||
|
checks:
|
||
|
- id: V-242390
|
||
|
text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
|
||
|
audit: "/bin/ps -fC $kubeletbin"
|
||
|
audit_config: "/bin/cat $kubeletconf"
|
||
|
tests:
|
||
|
test_items:
|
||
|
- flag: "--anonymous-auth"
|
||
|
path: '{.authentication.anonymous.enabled}'
|
||
|
set: true
|
||
|
compare:
|
||
|
op: eq
|
||
|
value: false
|
||
|
remediation: |
|
||
|
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
|
||
|
false.
|
||
|
If using executable arguments, edit the kubelet service file
|
||
|
$kubeletsvc on each worker node and
|
||
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||
|
--anonymous-auth=false
|
||
|
Based on your system, restart the kubelet service. For example:
|
||
|
systemctl daemon-reload
|
||
|
systemctl restart kubelet.service
|
||
|
scored: true
|
||
|
- id: V-242400
|
||
|
text: "The Kubernetes API server must have Alpha APIs disabled (Automated)"
|
||
|
audit: "/bin/ps -fC $kubeletbin"
|
||
|
audit_config: "/bin/cat $kubeletconf"
|
||
|
tests:
|
||
|
bin_op: or
|
||
|
test_items:
|
||
|
- flag: "--feature-gates"
|
||
|
compare:
|
||
|
op: nothave
|
||
|
value: "AllAlpha=true"
|
||
|
set: true
|
||
|
- flag: "--feature-gates"
|
||
|
set: false
|
||
|
remediation: |
|
||
|
Edit any manifest files or $kubeletconf that contain the feature-gates
|
||
|
setting with AllAlpha set to "true".
|
||
|
Set the flag to "false" or remove the "AllAlpha" setting
|
||
|
completely. Restart the kubelet service if the kubelet config file
|
||
|
if the kubelet config file is changed.
|
||
|
scored: true
|
||
|
- id: 2.2
|
||
|
text: "DISA Category Code II"
|
||
|
checks:
|
||
|
- id: V-242381
|
||
|
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||
|
to the Kubernetes API server.
|
||
|
Modify the configuration of each default service account to include this value
|
||
|
automountServiceAccountToken: false
|
||
|
scored: false
|
||
|
- id: V-242402
|
||
|
text: "The Kubernetes API Server must have an audit log path set (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: V-242403
|
||
|
text: "Kubernetes API Server must generate audit records (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: V-242461
|
||
|
text: "Kubernetes API Server audit logs must be enabled. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: V-242462
|
||
|
text: "The Kubernetes API Server must be set to audit log max size. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: V-242463
|
||
|
text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: V-242464
|
||
|
text: "The Kubernetes API Server audit log retention must be set. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: V-242465
|
||
|
text: "The Kubernetes API Server audit log path must be set. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||
|
scored: false
|
||
|
- id: 2.2
|
||
|
text: "DISA Category Code II"
|
||
|
checks:
|
||
|
- id: V-242443
|
||
|
text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
|
||
|
type: "manual"
|
||
|
remediation: |
|
||
|
Upgrade Kubernetes to a supported version.
|
||
|
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
|