1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 22:58:07 +00:00
kube-bench/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml

125 lines
5.4 KiB
YAML
Raw Normal View History

---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "DISA Category Code I"
checks:
- id: V-242390
text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242400
text: "The Kubernetes API server must have Alpha APIs disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "AllAlpha=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or $kubeletconf that contain the feature-gates
setting with AllAlpha set to "true".
Set the flag to "false" or remove the "AllAlpha" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: 2.2
text: "DISA Category Code II"
checks:
- id: V-242381
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: V-242402
text: "The Kubernetes API Server must have an audit log path set (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242403
text: "Kubernetes API Server must generate audit records (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242461
text: "Kubernetes API Server audit logs must be enabled. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242462
text: "The Kubernetes API Server must be set to audit log max size. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242463
text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242464
text: "The Kubernetes API Server audit log retention must be set. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242465
text: "The Kubernetes API Server audit log path must be set. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: 2.2
text: "DISA Category Code II"
checks:
- id: V-242443
text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
type: "manual"
remediation: |
Upgrade Kubernetes to a supported version.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html