From a34047c1058b78b9dc84615fe61aa86e5a30d3f2 Mon Sep 17 00:00:00 2001 From: Chris Renzo <86670002+crenzoaws@users.noreply.github.com> Date: Wed, 14 Sep 2022 10:40:48 -0400 Subject: [PATCH] Adding eks-stig-kubernetes-v1r6 (#1266) * Adding eks-stig-kubernetes-v1r6 * Fixing lint errors * Reformatting texts * Removing pinned docker tag * Updating Expected Stig Output Co-authored-by: EC2 Default User --- CONTRIBUTING.md | 1 + cfg/config.yaml | 5 + cfg/eks-stig-kubernetes-v1r6/config.yaml | 9 + .../controlplane.yaml | 124 ++++++++ .../managedservices.yaml | 268 ++++++++++++++++ cfg/eks-stig-kubernetes-v1r6/master.yaml | 6 + cfg/eks-stig-kubernetes-v1r6/node.yaml | 287 ++++++++++++++++++ cfg/eks-stig-kubernetes-v1r6/policies.yaml | 33 ++ docs/architecture.md | 6 + docs/platforms.md | 6 +- docs/running.md | 27 +- hack/kind-stig.test.yaml | 56 ++++ hack/kind-stig.yaml | 56 ++++ .../testdata/Expected_output_stig.data | 266 ++++++++++++++++ job-eks-stig.yaml | 43 +++ makefile | 12 + 16 files changed, 1203 insertions(+), 2 deletions(-) create mode 100644 cfg/eks-stig-kubernetes-v1r6/config.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/controlplane.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/managedservices.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/master.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/node.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/policies.yaml create mode 100644 hack/kind-stig.test.yaml create mode 100644 hack/kind-stig.yaml create mode 100644 integration/testdata/Expected_output_stig.data create mode 100644 job-eks-stig.yaml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 66c3e17..f4b6f1e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -77,3 +77,4 @@ Finally, we can use the `make kind-run` target to run the current version of kub Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` ) +To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig` diff --git a/cfg/config.yaml b/cfg/config.yaml index fcb8bd8..bb0e5f3 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -324,3 +324,8 @@ target_mapping: - "controlplane" - "policies" - "etcd" + "eks-stig-kubernetes-v1r6": + - "node" + - "controlplane" + - "policies" + - "managedservices" diff --git a/cfg/eks-stig-kubernetes-v1r6/config.yaml b/cfg/eks-stig-kubernetes-v1r6/config.yaml new file mode 100644 index 0000000..17301a7 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/config.yaml @@ -0,0 +1,9 @@ +--- +## Version-specific settings that override the values in cfg/config.yaml +## These settings are required if you are using the --asff option to report findings to AWS Security Hub +## AWS account number is required. +AWS_ACCOUNT: "" +## AWS region is required. +AWS_REGION: "" +## EKS Cluster ARN is required. +CLUSTER_ARN: "" diff --git a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml new file mode 100644 index 0000000..cc38159 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml @@ -0,0 +1,124 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 2 +text: "Control Plane Configuration" +type: "controlplane" +groups: + - id: 2.1 + text: "DISA Category Code I" + checks: + - id: V-242390 + text: "The Kubernetes API server must have anonymous authentication disabled (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--anonymous-auth" + path: '{.authentication.anonymous.enabled}' + set: true + compare: + op: eq + value: false + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to + false. + If using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --anonymous-auth=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242400 + text: "The Kubernetes API server must have Alpha APIs disabled (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "AllAlpha=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with AllAlpha set to "true". + Set the flag to "false" or remove the "AllAlpha" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true + - id: 2.2 + text: "DISA Category Code II" + checks: + - id: V-242381 + text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)" + type: "manual" + remediation: | + Create explicit service accounts wherever a Kubernetes workload requires specific access + to the Kubernetes API server. + Modify the configuration of each default service account to include this value + automountServiceAccountToken: false + scored: false + - id: V-242402 + text: "The Kubernetes API Server must have an audit log path set (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: V-242403 + text: "Kubernetes API Server must generate audit records (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: V-242461 + text: "Kubernetes API Server audit logs must be enabled. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: V-242462 + text: "The Kubernetes API Server must be set to audit log max size. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: V-242463 + text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: V-242464 + text: "The Kubernetes API Server audit log retention must be set. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: V-242465 + text: "The Kubernetes API Server audit log path must be set. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + - id: 2.2 + text: "DISA Category Code II" + checks: + - id: V-242443 + text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)" + type: "manual" + remediation: | + Upgrade Kubernetes to a supported version. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html diff --git a/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml new file mode 100644 index 0000000..23c4eaa --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml @@ -0,0 +1,268 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 5 +text: "Managed Services" +type: "managedservices" +groups: + - id: 5.1 + text: "DISA Category Code I" + checks: + - id: V-242386 + text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane" + type: "skip" + + - id: V-242388 + text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane" + type: "skip" + + - id: V-242436 + text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)" + type: "manual" + remediation: | + Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook + Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html + scored: false + + - id: V-245542 + text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane" + type: "skip" + + - id: 5.2 + text: "DISA Category Code II" + checks: + - id: V-242376 + text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane" + type: "skip" + + - id: V-242377 + text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane" + type: "skip" + + - id: V-242378 + text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane" + type: "skip" + + - id: V-242379 + text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane" + type: "skip" + + - id: V-242380 + text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane" + type: "skip" + + - id: V-242382 + text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane" + type: "skip" + + - id: V-242384 + text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane" + type: "skip" + + - id: V-242385 + text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane" + type: "skip" + + - id: V-242389 + text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane" + type: "skip" + + - id: V-242401 + text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane" + type: "skip" + + - id: V-242402 + text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane" + type: "skip" + + - id: V-242403 + text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane" + type: "skip" + + - id: V-242405 + text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242408 + text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane" + type: "skip" + + - id: V-242409 + text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane" + type: "skip" + + - id: V-242410 + text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242411 + text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242412 + text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242413 + text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242418 + text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane" + type: "skip" + + - id: V-242419 + text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242420 + text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242421 + text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242422 + text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242423 + text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242424 + text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242425 + text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242426 + text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242427 + text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242428 + text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242429 + text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242430 + text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242431 + text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242432 + text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242433 + text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242438 + text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane" + type: "skip" + + - id: V-242444 + text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242445 + text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane" + type: "skip" + + - id: V-242446 + text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242447 + text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242448 + text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242449 + text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242450 + text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242451 + text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242452 + text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242453 + text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242454 + text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242455 + text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242456 + text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242457 + text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242458 + text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242459 + text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242460 + text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242466 + text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242467 + text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242468 + text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane" + type: "skip" + + - id: V-245541 + text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane" + type: "skip" + + - id: V-245543 + text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane" + type: "skip" + + - id: V-245544 + text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane" + type: "skip" diff --git a/cfg/eks-stig-kubernetes-v1r6/master.yaml b/cfg/eks-stig-kubernetes-v1r6/master.yaml new file mode 100644 index 0000000..8152a1a --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/master.yaml @@ -0,0 +1,6 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 1 +text: "Control Plane Components" +type: "master" diff --git a/cfg/eks-stig-kubernetes-v1r6/node.yaml b/cfg/eks-stig-kubernetes-v1r6/node.yaml new file mode 100644 index 0000000..9609124 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/node.yaml @@ -0,0 +1,287 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 3 +text: "Worker Node Security Configuration" +type: "node" +groups: + - id: 3.1 + text: "DISA Category Code I" + checks: + - id: V-242387 # CIS 3.2.4 + text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--read-only-port" + path: '{.readOnlyPort}' + set: true + compare: + op: eq + value: 0 + remediation: | + If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0. + If using command line arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --read-only-port=0 + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: false + - id: V-242391 # CIS 3.2.1 + text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--anonymous-auth" + path: '{.authentication.anonymous.enabled}' + set: true + compare: + op: eq + value: false + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to + false. + If using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --anonymous-auth=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242392 # CIS 3.2.2 + text: "The Kubernetes kubelet must enable explicit authorization (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: --authorization-mode + path: '{.authorization.mode}' + set: true + compare: + op: nothave + value: AlwaysAllow + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If + using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_AUTHZ_ARGS variable. + --authorization-mode=Webhook + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242397 + text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - path: '{.staticPodPath}' + set: false + remediation: | + Edit $kubeletconf on each node to to remove the staticPodPath + Based on your system, restart the kubelet service. For example, + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242415 + text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)" + type: "manual" + remediation: | + Run the following command: + kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A + If any of the values returned reference environment variables + rewrite application code to read secrets from mounted secret files, rather than + from environment variables. + scored: false + - id: V-242434 # CIS 3.2.6 + text: "Kubernetes Kubelet must enable kernel protection (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: --protect-kernel-defaults + path: '{.protectKernelDefaults}' + set: true + compare: + op: eq + value: true + remediation: | + If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true. + If using command line arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --protect-kernel-defaults=true + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242435 + text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: --authorization-mode + path: '{.authorization.mode}' + set: true + compare: + op: nothave + value: AlwaysAllow + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If + using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_AUTHZ_ARGS variable. + --authorization-mode=Webhook + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242393 + text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)" + audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' ' + tests: + test_items: + - flag: ActiveState + compare: + op: eq + value: inactive + remediation: | + To stop the sshd service, run the command: systemctl stop sshd + scored: true + - id: V-242394 + text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)" + audit: "/bin/sh -c 'systemctl is-enabled sshd.service'" + tests: + test_items: + - flag: "disabled" + remediation: | + To disable the sshd service, run the command: + chkconfig sshd off + scored: true + - id: V-242395 + text: "Kubernetes dashboard must not be enabled. (Manual)" + type: "manual" + remediation: | + Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard + If any resources are returned, this is a finding. + Fix Text: Delete the Kubernetes dashboard deployment with the following command: + kubectl delete deployment kubernetes-dashboard --namespace=kube-system + scored: false + - id: V-242398 + text: "Kubernetes DynamicAuditing must not be enabled. (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "DynamicAuditing=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or kubelet config files that contain the feature-gates + setting with DynamicAuditing set to "true". + Set the flag to "false" or remove the "DynamicAuditing" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true + - id: V-242399 + text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "DynamicKubeletConfig=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with DynamicKubeletConfig set to "true". + Set the flag to "false" or remove the "DynamicKubeletConfig" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true + - id: V-242404 # CIS 3.2.8 + text: "Kubernetes Kubelet must deny hostname override (Automated)" + # This is one of those properties that can only be set as a command line argument. + # To check if the property is set as expected, we need to parse the kubelet command + # instead reading the Kubelet Configuration file. + audit: "/bin/ps -fC $kubeletbin " + tests: + test_items: + - flag: --hostname-override + set: false + remediation: | + Edit the kubelet service file $kubeletbin + on each worker node and remove the --hostname-override argument from the + KUBELET_SYSTEM_PODS_ARGS variable. + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242406 + text: "The Kubernetes kubelet configuration file must be owned by root (Automated)" + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' + tests: + test_items: + - flag: root:root + remediation: | + Run the below command (based on the file location on your system) on the each worker node. + For example, + chown root:root $kubeletkubeconfig + scored: true + - id: V-242407 + text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)" + audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" + remediation: | + Run the following command (using the config file location identified in the Audit step) + chmod 644 $kubeletconf + scored: true + - id: V-242414 + text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)" + type: "manual" + remediation: | + For any of the pods that are using ports below 1024, + reconfigure the pod to use a service to map a host non-privileged + port to the pod port or reconfigure the image to use non-privileged ports. + scored: false + - id: V-242442 + text: "Kubernetes must remove old components after updated versions have been installed. (Manual)" + type: "manual" + remediation: | + To view all pods and the images used to create the pods, from the Master node, run the following command: + kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ + tr -s '[[:space:]]' '\n' | \ + sort | \ + uniq -c + Review the images used for pods running within Kubernetes. + Remove any old pods that are using older images. + scored: false + - id: V-242396 + text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)" + type: "manual" + remediation: | + If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. + Upgrade the Master and Worker nodes to the latest version of kubectl. + scored: false diff --git a/cfg/eks-stig-kubernetes-v1r6/policies.yaml b/cfg/eks-stig-kubernetes-v1r6/policies.yaml new file mode 100644 index 0000000..e91eacc --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/policies.yaml @@ -0,0 +1,33 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 4 +text: "Policies" +type: "policies" +groups: + - id: 4.1 + text: "Policies - DISA Category Code I" + checks: + - id: V-242381 + text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)" + type: "manual" + remediation: | + Create explicit service accounts wherever a Kubernetes workload requires specific access + to the Kubernetes API server. + Modify the configuration of each default service account to include this value + automountServiceAccountToken: false + scored: false + + - id: V-242383 + text: "User-managed resources must be created in dedicated namespaces. (Manual)" + type: "manual" + remediation: | + Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. + scored: false + + - id: V-242417 + text: "Kubernetes must separate user functionality. (Manual)" + type: "manual" + remediation: | + Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces. + scored: false diff --git a/docs/architecture.md b/docs/architecture.md index 1837063..b423a71 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -27,4 +27,10 @@ The following table shows the valid targets based on the CIS Benchmark version. | rh-0.7 | master,node| | rh-1.0 | master, controlplane, node, etcd, policies | +The following table shows the valid DISA STIG versions + +| STIG | Targets | +|----------------------------|---------| +| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices | + diff --git a/docs/platforms.md b/docs/platforms.md index 0883eed..8d4e3d7 100644 --- a/docs/platforms.md +++ b/docs/platforms.md @@ -2,7 +2,10 @@ ## CIS Kubernetes Benchmark support kube-bench supports running tests for Kubernetes. -Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). +Most of our supported benchmarks are defined in one of the following: + [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/) + [STIG Document Library](https://public.cyber.mil/stigs/downloads) + Some defined by other hardenening guides. | Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions | @@ -18,3 +21,4 @@ Some defined by other hardenening guides. | CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS | | RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | | CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- | +| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS | diff --git a/docs/running.md b/docs/running.md index 04af7bb..11b37d6 100644 --- a/docs/running.md +++ b/docs/running.md @@ -77,7 +77,7 @@ docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install ``` kube-bench cannot be run on AKS master nodes -### Running in an EKS cluster +### Running CIS benchmark in an EKS cluster There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed @@ -103,6 +103,31 @@ docker push .dkr.ecr..amazonaws.com/k8s/kube-bench: 8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-` - You can save the report for later reference: `kubectl logs kube-bench- > kube-bench-report.txt` +### Running DISA STIG in an EKS cluster + +There is a `job-eks-stig.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed + +1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide* + - Information on configuring `eksctl`, `kubectl` and the AWS CLI is within +2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image +``` +aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE +``` +3. Download, build and push the kube-bench container image to your ECR repo +``` +git clone https://github.com/aquasecurity/kube-bench.git +cd kube-bench +aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com +docker build -t k8s/kube-bench . +docker tag k8s/kube-bench:latest .dkr.ecr..amazonaws.com/k8s/kube-bench:latest +docker push .dkr.ecr..amazonaws.com/k8s/kube-bench:latest +``` +4. Copy the URI of your pushed image, the URI format is like this: `.dkr.ecr..amazonaws.com/k8s/kube-bench:latest` +5. Replace the `image` value in `job-eks-stig.yaml` with the URI from Step 4 +6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks-stig.yaml` +7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces` +8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-` + - You can save the report for later reference: `kubectl logs kube-bench- > kube-bench-report.txt` ### Running on OpenShift diff --git a/hack/kind-stig.test.yaml b/hack/kind-stig.test.yaml new file mode 100644 index 0000000..5051277 --- /dev/null +++ b/hack/kind-stig.test.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + metadata: + labels: + app: kube-bench + spec: + hostPID: true + containers: + - name: kube-bench + image: docker.io/aquasec/kube-bench:latest + command: [ + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + - name: etc-systemd + mountPath: /etc/systemd + - name: etc-kubernetes + mountPath: /etc/kubernetes + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + - name: kind-bin + mountPath: /kind/bin + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" + - name: kind-bin + hostPath: + path: "/kind/bin" diff --git a/hack/kind-stig.yaml b/hack/kind-stig.yaml new file mode 100644 index 0000000..3b1ab69 --- /dev/null +++ b/hack/kind-stig.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + metadata: + labels: + app: kube-bench + spec: + hostPID: true + containers: + - name: kube-bench + image: docker.io/aquasec/kube-bench:${VERSION} + command: [ + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + - name: etc-systemd + mountPath: /etc/systemd + - name: etc-kubernetes + mountPath: /etc/kubernetes + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + - name: kind-bin + mountPath: /kind/bin + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" + - name: kind-bin + hostPath: + path: "/kind/bin" diff --git a/integration/testdata/Expected_output_stig.data b/integration/testdata/Expected_output_stig.data new file mode 100644 index 0000000..167dd03 --- /dev/null +++ b/integration/testdata/Expected_output_stig.data @@ -0,0 +1,266 @@ +[INFO] 1 Control Plane Components + +== Summary master == +0 checks PASS +0 checks FAIL +0 checks WARN +0 checks INFO + +[INFO] 2 Control Plane Configuration +[INFO] 2.1 DISA Category Code I +[FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated) +[FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated) +[INFO] 2.2 DISA Category Code II +[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) +[WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual) +[WARN] V-242403 Kubernetes API Server must generate audit records (Manual) +[WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual) +[WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual) +[WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual) +[WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual) +[WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual) +[WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual) + +== Remediations controlplane == +V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to +false. +If using executable arguments, edit the kubelet service file +$kubeletsvc on each worker node and +set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. +--anonymous-auth=false +Based on your system, restart the kubelet service. For example: +systemctl daemon-reload +systemctl restart kubelet.service + +V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates +setting with AllAlpha set to "true". +Set the flag to "false" or remove the "AllAlpha" setting +completely. Restart the kubelet service if the kubelet config file +if the kubelet config file is changed. + +V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access +to the Kubernetes API server. +Modify the configuration of each default service account to include this value +automountServiceAccountToken: false + +V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242443 Upgrade Kubernetes to a supported version. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html + + +== Summary controlplane == +0 checks PASS +2 checks FAIL +9 checks WARN +0 checks INFO + +[INFO] 3 Worker Node Security Configuration +[INFO] 3.1 DISA Category Code I +[WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual) +[PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated) +[PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated) +[FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated) +[WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual) +[FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated) +[PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated) +[FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated) +[FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated) +[WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual) +[PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated) +[PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated) +[PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated) +[PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated) +[PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated) +[WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual) +[WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual) +[WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual) + +== Remediations node == +V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0. +If using command line arguments, edit the kubelet service file +/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and +set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. +--read-only-port=0 +Based on your system, restart the kubelet service. For example: +systemctl daemon-reload +systemctl restart kubelet.service + +V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath +Based on your system, restart the kubelet service. For example, +systemctl daemon-reload +systemctl restart kubelet.service + +V-242415 Run the following command: +kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A +If any of the values returned reference environment variables +rewrite application code to read secrets from mounted secret files, rather than +from environment variables. + +V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true. +If using command line arguments, edit the kubelet service file +/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and +set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. +--protect-kernel-defaults=true +Based on your system, restart the kubelet service. For example: +systemctl daemon-reload +systemctl restart kubelet.service + +V-242393 To stop the sshd service, run the command: systemctl stop sshd + +V-242394 To disable the sshd service, run the command: + chkconfig sshd off + +V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard +If any resources are returned, this is a finding. +Fix Text: Delete the Kubernetes dashboard deployment with the following command: + kubectl delete deployment kubernetes-dashboard --namespace=kube-system + +V-242414 For any of the pods that are using ports below 1024, +reconfigure the pod to use a service to map a host non-privileged +port to the pod port or reconfigure the image to use non-privileged ports. + +V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command: + kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ + tr -s '[[:space:]]' '\n' | \ + sort | \ + uniq -c + Review the images used for pods running within Kubernetes. + Remove any old pods that are using older images. + +V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. +Upgrade the Master and Worker nodes to the latest version of kubectl. + + +== Summary node == +8 checks PASS +4 checks FAIL +6 checks WARN +0 checks INFO + +[INFO] 4 Policies +[INFO] 4.1 Policies - DISA Category Code I +[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) +[WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual) +[WARN] V-242417 Kubernetes must separate user functionality. (Manual) + +== Remediations policies == +V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access +to the Kubernetes API server. +Modify the configuration of each default service account to include this value +automountServiceAccountToken: false + +V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. + +V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces. + + +== Summary policies == +0 checks PASS +0 checks FAIL +3 checks WARN +0 checks INFO + +[INFO] 5 Managed Services +[INFO] 5.1 DISA Category Code I +[INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane +[INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane +[WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual) +[INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane +[INFO] 5.2 DISA Category Code II +[INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane +[INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane +[INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane +[INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane +[INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane +[INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane +[INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane +[INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane +[INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane +[INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane +[INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane +[INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane +[INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane +[INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane +[INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane +[INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane +[INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane +[INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane +[INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane +[INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane +[INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane +[INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane +[INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane +[INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane +[INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane +[INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane +[INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane +[INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane +[INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane +[INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane +[INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane +[INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane +[INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane +[INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane +[INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane +[INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane +[INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane +[INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane +[INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane +[INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane +[INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane +[INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane + +== Remediations managedservices == +V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook +Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html + + +== Summary managedservices == +0 checks PASS +0 checks FAIL +1 checks WARN +62 checks INFO + +== Summary total == +8 checks PASS +6 checks FAIL +19 checks WARN +62 checks INFO + diff --git a/job-eks-stig.yaml b/job-eks-stig.yaml new file mode 100644 index 0000000..65ce5dc --- /dev/null +++ b/job-eks-stig.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + spec: + hostPID: true + containers: + - name: kube-bench + # Push the image to your ECR and then refer to it here + # image: + image: docker.io/aquasec/kube-bench:latest + # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead + command: + [ + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] + volumeMounts: + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" diff --git a/makefile b/makefile index c607056..61b5b54 100644 --- a/makefile +++ b/makefile @@ -78,3 +78,15 @@ kind-run: kind-push kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \ kubectl logs job/kube-bench > ./test.data && \ diff ./test.data integration/testdata/Expected_output.data + +kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench" +kind-run-stig: kind-push + sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml + kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG) + -KUBECONFIG=$(KUBECONFIG) \ + kubectl delete job kube-bench + KUBECONFIG=$(KUBECONFIG) \ + kubectl apply -f ./hack/kind-stig.test.yaml && \ + kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \ + kubectl logs job/kube-bench > ./test.data && \ + diff ./test.data integration/testdata/Expected_output_stig.data