arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 15:48:06 +00:00
Code Issues Releases Wiki Activity

Adding eks-stig-kubernetes-v1r6 (#1266)

Browse Source 
* Adding eks-stig-kubernetes-v1r6

* Fixing lint errors

* Reformatting texts

* Removing pinned docker tag

* Updating Expected Stig Output

Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
This commit is contained in:
Chris Renzo 2022-09-14 10:40:48 -04:00 committed by GitHub
parent e05dabe0a9
commit a34047c105
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 1203 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CONTRIBUTING.md
View File

@ -77,3 +77,4 @@ Finally, we can use the `make kind-run` target to run the current version of kub
Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` ) Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig`

5
cfg/config.yaml
View File

@ -324,3 +324,8 @@ target_mapping:
- "controlplane" - "controlplane"
- "policies" - "policies"
- "etcd" - "etcd"
"eks-stig-kubernetes-v1r6":
- "node"
- "controlplane"
- "policies"
- "managedservices"

9
cfg/eks-stig-kubernetes-v1r6/config.yaml Normal file
View File

@ -0,0 +1,9 @@
---
## Version-specific settings that override the values in cfg/config.yaml
## These settings are required if you are using the --asff option to report findings to AWS Security Hub
## AWS account number is required.
AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
## AWS region is required.
AWS_REGION: "<AWS_REGION>"
## EKS Cluster ARN is required.
CLUSTER_ARN: "<AWS_CLUSTER_ARN>"

124
cfg/eks-stig-kubernetes-v1r6/controlplane.yaml Normal file
View File

@ -0,0 +1,124 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "DISA Category Code I"
checks:
- id: V-242390
text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242400
text: "The Kubernetes API server must have Alpha APIs disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "AllAlpha=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or $kubeletconf that contain the feature-gates
setting with AllAlpha set to "true".
Set the flag to "false" or remove the "AllAlpha" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: 2.2
text: "DISA Category Code II"
checks:
- id: V-242381
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: V-242402
text: "The Kubernetes API Server must have an audit log path set (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242403
text: "Kubernetes API Server must generate audit records (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242461
text: "Kubernetes API Server audit logs must be enabled. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242462
text: "The Kubernetes API Server must be set to audit log max size. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242463
text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242464
text: "The Kubernetes API Server audit log retention must be set. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242465
text: "The Kubernetes API Server audit log path must be set. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: 2.2
text: "DISA Category Code II"
checks:
- id: V-242443
text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
type: "manual"
remediation: |
Upgrade Kubernetes to a supported version.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html

268
cfg/eks-stig-kubernetes-v1r6/managedservices.yaml Normal file
View File

@ -0,0 +1,268 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
- id: 5.1
text: "DISA Category Code I"
checks:
- id: V-242386
text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane"
type: "skip"
- id: V-242388
text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane"
type: "skip"
- id: V-242436
text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)"
type: "manual"
remediation: |
Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
scored: false
- id: V-245542
text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane"
type: "skip"
- id: 5.2
text: "DISA Category Code II"
checks:
- id: V-242376
text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane"
type: "skip"
- id: V-242377
text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane"
type: "skip"
- id: V-242378
text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane"
type: "skip"
- id: V-242379
text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
type: "skip"
- id: V-242380
text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
type: "skip"
- id: V-242382
text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane"
type: "skip"
- id: V-242384
text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane"
type: "skip"
- id: V-242385
text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane"
type: "skip"
- id: V-242389
text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane"
type: "skip"
- id: V-242401
text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane"
type: "skip"
- id: V-242402
text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane"
type: "skip"
- id: V-242403
text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane"
type: "skip"
- id: V-242405
text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242408
text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane"
type: "skip"
- id: V-242409
text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane"
type: "skip"
- id: V-242410
text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242411
text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242412
text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242413
text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242418
text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane"
type: "skip"
- id: V-242419
text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242420
text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242421
text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242422
text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane"
type: "skip"
- id: V-242423
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242424
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242425
text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242426
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242427
text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242428
text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
type: "skip"
- id: V-242429
text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242430
text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
type: "skip"
- id: V-242431
text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242432
text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242433
text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242438
text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane"
type: "skip"
- id: V-242444
text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242445
text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane"
type: "skip"
- id: V-242446
text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242447
text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242448
text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242449
text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242450
text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242451
text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242452
text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242453
text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242454
text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242455
text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242456
text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242457
text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242458
text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242459
text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242460
text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242466
text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242467
text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242468
text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane"
type: "skip"
- id: V-245541
text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane"
type: "skip"
- id: V-245543
text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane"
type: "skip"
- id: V-245544
text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane"
type: "skip"

6
cfg/eks-stig-kubernetes-v1r6/master.yaml Normal file
View File

@ -0,0 +1,6 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 1
text: "Control Plane Components"
type: "master"

287
cfg/eks-stig-kubernetes-v1r6/node.yaml Normal file
View File

@ -0,0 +1,287 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "DISA Category Code I"
checks:
- id: V-242387 # CIS 3.2.4
text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: V-242391 # CIS 3.2.1
text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242392 # CIS 3.2.2
text: "The Kubernetes kubelet must enable explicit authorization (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242397
text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- path: '{.staticPodPath}'
set: false
remediation: |
Edit $kubeletconf on each node to to remove the staticPodPath
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242415
text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)"
type: "manual"
remediation: |
Run the following command:
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
If any of the values returned reference environment variables
rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: V-242434 # CIS 3.2.6
text: "Kubernetes Kubelet must enable kernel protection (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242435
text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242393
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
tests:
test_items:
- flag: ActiveState
compare:
op: eq
value: inactive
remediation: |
To stop the sshd service, run the command: systemctl stop sshd
scored: true
- id: V-242394
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
tests:
test_items:
- flag: "disabled"
remediation: |
To disable the sshd service, run the command:
chkconfig sshd off
scored: true
- id: V-242395
text: "Kubernetes dashboard must not be enabled. (Manual)"
type: "manual"
remediation: |
Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
If any resources are returned, this is a finding.
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
scored: false
- id: V-242398
text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "DynamicAuditing=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or kubelet config files that contain the feature-gates
setting with DynamicAuditing set to "true".
Set the flag to "false" or remove the "DynamicAuditing" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: V-242399
text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "DynamicKubeletConfig=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or $kubeletconf that contain the feature-gates
setting with DynamicKubeletConfig set to "true".
Set the flag to "false" or remove the "DynamicKubeletConfig" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: V-242404 # CIS 3.2.8
text: "Kubernetes Kubelet must deny hostname override (Automated)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
Edit the kubelet service file $kubeletbin
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242406
text: "The Kubernetes kubelet configuration file must be owned by root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: true
- id: V-242407
text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: true
- id: V-242414
text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)"
type: "manual"
remediation: |
For any of the pods that are using ports below 1024,
reconfigure the pod to use a service to map a host non-privileged
port to the pod port or reconfigure the image to use non-privileged ports.
scored: false
- id: V-242442
text: "Kubernetes must remove old components after updated versions have been installed. (Manual)"
type: "manual"
remediation: |
To view all pods and the images used to create the pods, from the Master node, run the following command:
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c
Review the images used for pods running within Kubernetes.
Remove any old pods that are using older images.
scored: false
- id: V-242396
text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
type: "manual"
remediation: |
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
Upgrade the Master and Worker nodes to the latest version of kubectl.
scored: false

33
cfg/eks-stig-kubernetes-v1r6/policies.yaml Normal file
View File

@ -0,0 +1,33 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 4
text: "Policies"
type: "policies"
groups:
- id: 4.1
text: "Policies - DISA Category Code I"
checks:
- id: V-242381
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: V-242383
text: "User-managed resources must be created in dedicated namespaces. (Manual)"
type: "manual"
remediation: |
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
scored: false
- id: V-242417
text: "Kubernetes must separate user functionality. (Manual)"
type: "manual"
remediation: |
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
scored: false

6
docs/architecture.md
View File

@ -27,4 +27,10 @@ The following table shows the valid targets based on the CIS Benchmark version.
| rh-0.7 | master,node| | rh-0.7 | master,node|
| rh-1.0 | master, controlplane, node, etcd, policies | | rh-1.0 | master, controlplane, node, etcd, policies |
The following table shows the valid DISA STIG versions
| STIG | Targets |
|----------------------------|---------|
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |

6
docs/platforms.md
View File

@ -2,7 +2,10 @@
## CIS Kubernetes Benchmark support ## CIS Kubernetes Benchmark support
kube-bench supports running tests for Kubernetes. kube-bench supports running tests for Kubernetes.
Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). Most of our supported benchmarks are defined in one of the following:
[CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
[STIG Document Library](https://public.cyber.mil/stigs/downloads)
Some defined by other hardenening guides. Some defined by other hardenening guides.
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions | | Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
@ -18,3 +21,4 @@ Some defined by other hardenening guides.
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS | | CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | | RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- | | CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |

27
docs/running.md
View File

@ -77,7 +77,7 @@ docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
``` ```
kube-bench cannot be run on AKS master nodes kube-bench cannot be run on AKS master nodes
### Running in an EKS cluster ### Running CIS benchmark in an EKS cluster
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
@ -103,6 +103,31 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>` 8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt` - You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
### Running DISA STIG in an EKS cluster
There is a `job-eks-stig.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide*
- Information on configuring `eksctl`, `kubectl` and the AWS CLI is within
2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image
```
aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
```
3. Download, build and push the kube-bench container image to your ECR repo
```
git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
```
4. Copy the URI of your pushed image, the URI format is like this: `<AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest`
5. Replace the `image` value in `job-eks-stig.yaml` with the URI from Step 4
6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks-stig.yaml`
7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces`
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
### Running on OpenShift ### Running on OpenShift

56
hack/kind-stig.test.yaml Normal file
View File

@ -0,0 +1,56 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
command: [
"kube-bench",
"run",
"--benchmark",
"eks-stig-kubernetes-v1r6",
]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
- name: kind-bin
mountPath: /kind/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: kind-bin
hostPath:
path: "/kind/bin"

56
hack/kind-stig.yaml Normal file
View File

@ -0,0 +1,56 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:${VERSION}
command: [
"kube-bench",
"run",
"--benchmark",
"eks-stig-kubernetes-v1r6",
]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
- name: kind-bin
mountPath: /kind/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: kind-bin
hostPath:
path: "/kind/bin"

266
integration/testdata/Expected_output_stig.data vendored Normal file
View File

@ -0,0 +1,266 @@
[INFO] 1 Control Plane Components
== Summary master ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 2 Control Plane Configuration
[INFO] 2.1 DISA Category Code I
[FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated)
[FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated)
[INFO] 2.2 DISA Category Code II
[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
[WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual)
[WARN] V-242403 Kubernetes API Server must generate audit records (Manual)
[WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual)
[WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual)
[WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual)
[WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual)
[WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual)
[WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)
== Remediations controlplane ==
V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates
setting with AllAlpha set to "true".
Set the flag to "false" or remove the "AllAlpha" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242443 Upgrade Kubernetes to a supported version.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
== Summary controlplane ==
0 checks PASS
2 checks FAIL
9 checks WARN
0 checks INFO
[INFO] 3 Worker Node Security Configuration
[INFO] 3.1 DISA Category Code I
[WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual)
[PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated)
[PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated)
[FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated)
[WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual)
[FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated)
[PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated)
[FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated)
[FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)
[WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual)
[PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated)
[PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated)
[PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated)
[PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated)
[PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)
[WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)
[WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual)
[WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual)
== Remediations node ==
V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
V-242415 Run the following command:
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
If any of the values returned reference environment variables
rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
V-242393 To stop the sshd service, run the command: systemctl stop sshd
V-242394 To disable the sshd service, run the command:
chkconfig sshd off
V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
If any resources are returned, this is a finding.
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
V-242414 For any of the pods that are using ports below 1024,
reconfigure the pod to use a service to map a host non-privileged
port to the pod port or reconfigure the image to use non-privileged ports.
V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command:
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c
Review the images used for pods running within Kubernetes.
Remove any old pods that are using older images.
V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
Upgrade the Master and Worker nodes to the latest version of kubectl.
== Summary node ==
8 checks PASS
4 checks FAIL
6 checks WARN
0 checks INFO
[INFO] 4 Policies
[INFO] 4.1 Policies - DISA Category Code I
[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
[WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual)
[WARN] V-242417 Kubernetes must separate user functionality. (Manual)
== Remediations policies ==
V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
== Summary policies ==
0 checks PASS
0 checks FAIL
3 checks WARN
0 checks INFO
[INFO] 5 Managed Services
[INFO] 5.1 DISA Category Code I
[INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane
[INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane
[WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)
[INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane
[INFO] 5.2 DISA Category Code II
[INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane
[INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane
[INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane
[INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
[INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
[INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane
[INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane
[INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane
[INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane
[INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane
[INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane
[INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane
[INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane
[INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane
[INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane
[INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane
[INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane
[INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
[INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
[INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane
[INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
[INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
[INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
[INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
[INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
[INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane
[INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane
[INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane
[INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane
[INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane
[INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane
[INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane
[INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane
[INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane
[INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
[INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane
[INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
[INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane
[INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane
[INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane
[INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane
[INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane
== Remediations managedservices ==
V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
== Summary managedservices ==
0 checks PASS
0 checks FAIL
1 checks WARN
62 checks INFO
== Summary total ==
8 checks PASS
6 checks FAIL
19 checks WARN
62 checks INFO

43
job-eks-stig.yaml Normal file
View File

@ -0,0 +1,43 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
# Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: docker.io/aquasec/kube-bench:latest
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command:
[
"kube-bench",
"run",
"--benchmark",
"eks-stig-kubernetes-v1r6",
]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"

12
makefile
View File

@ -78,3 +78,15 @@ kind-run: kind-push
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \ kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
kubectl logs job/kube-bench > ./test.data && \ kubectl logs job/kube-bench > ./test.data && \
diff ./test.data integration/testdata/Expected_output.data diff ./test.data integration/testdata/Expected_output.data
kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench"
kind-run-stig: kind-push
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml
kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
-KUBECONFIG=$(KUBECONFIG) \
kubectl delete job kube-bench
KUBECONFIG=$(KUBECONFIG) \
kubectl apply -f ./hack/kind-stig.test.yaml && \
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
kubectl logs job/kube-bench > ./test.data && \
diff ./test.data integration/testdata/Expected_output_stig.data