mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 15:48:06 +00:00
Adding eks-stig-kubernetes-v1r6 (#1266)
* Adding eks-stig-kubernetes-v1r6 * Fixing lint errors * Reformatting texts * Removing pinned docker tag * Updating Expected Stig Output Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
This commit is contained in:
parent
e05dabe0a9
commit
a34047c105
@ -77,3 +77,4 @@ Finally, we can use the `make kind-run` target to run the current version of kub
|
||||
|
||||
Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
|
||||
|
||||
To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig`
|
||||
|
@ -324,3 +324,8 @@ target_mapping:
|
||||
- "controlplane"
|
||||
- "policies"
|
||||
- "etcd"
|
||||
"eks-stig-kubernetes-v1r6":
|
||||
- "node"
|
||||
- "controlplane"
|
||||
- "policies"
|
||||
- "managedservices"
|
||||
|
9
cfg/eks-stig-kubernetes-v1r6/config.yaml
Normal file
9
cfg/eks-stig-kubernetes-v1r6/config.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
## Version-specific settings that override the values in cfg/config.yaml
|
||||
## These settings are required if you are using the --asff option to report findings to AWS Security Hub
|
||||
## AWS account number is required.
|
||||
AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
|
||||
## AWS region is required.
|
||||
AWS_REGION: "<AWS_REGION>"
|
||||
## EKS Cluster ARN is required.
|
||||
CLUSTER_ARN: "<AWS_CLUSTER_ARN>"
|
124
cfg/eks-stig-kubernetes-v1r6/controlplane.yaml
Normal file
124
cfg/eks-stig-kubernetes-v1r6/controlplane.yaml
Normal file
@ -0,0 +1,124 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-stig-kubernetes-v1r6"
|
||||
id: 2
|
||||
text: "Control Plane Configuration"
|
||||
type: "controlplane"
|
||||
groups:
|
||||
- id: 2.1
|
||||
text: "DISA Category Code I"
|
||||
checks:
|
||||
- id: V-242390
|
||||
text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
path: '{.authentication.anonymous.enabled}'
|
||||
set: true
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
|
||||
false.
|
||||
If using executable arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--anonymous-auth=false
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242400
|
||||
text: "The Kubernetes API server must have Alpha APIs disabled (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--feature-gates"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AllAlpha=true"
|
||||
set: true
|
||||
- flag: "--feature-gates"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit any manifest files or $kubeletconf that contain the feature-gates
|
||||
setting with AllAlpha set to "true".
|
||||
Set the flag to "false" or remove the "AllAlpha" setting
|
||||
completely. Restart the kubelet service if the kubelet config file
|
||||
if the kubelet config file is changed.
|
||||
scored: true
|
||||
- id: 2.2
|
||||
text: "DISA Category Code II"
|
||||
checks:
|
||||
- id: V-242381
|
||||
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
to the Kubernetes API server.
|
||||
Modify the configuration of each default service account to include this value
|
||||
automountServiceAccountToken: false
|
||||
scored: false
|
||||
- id: V-242402
|
||||
text: "The Kubernetes API Server must have an audit log path set (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: V-242403
|
||||
text: "Kubernetes API Server must generate audit records (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: V-242461
|
||||
text: "Kubernetes API Server audit logs must be enabled. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: V-242462
|
||||
text: "The Kubernetes API Server must be set to audit log max size. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: V-242463
|
||||
text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: V-242464
|
||||
text: "The Kubernetes API Server audit log retention must be set. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: V-242465
|
||||
text: "The Kubernetes API Server audit log path must be set. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
scored: false
|
||||
- id: 2.2
|
||||
text: "DISA Category Code II"
|
||||
checks:
|
||||
- id: V-242443
|
||||
text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Upgrade Kubernetes to a supported version.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
|
268
cfg/eks-stig-kubernetes-v1r6/managedservices.yaml
Normal file
268
cfg/eks-stig-kubernetes-v1r6/managedservices.yaml
Normal file
@ -0,0 +1,268 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-stig-kubernetes-v1r6"
|
||||
id: 5
|
||||
text: "Managed Services"
|
||||
type: "managedservices"
|
||||
groups:
|
||||
- id: 5.1
|
||||
text: "DISA Category Code I"
|
||||
checks:
|
||||
- id: V-242386
|
||||
text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242388
|
||||
text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242436
|
||||
text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
|
||||
scored: false
|
||||
|
||||
- id: V-245542
|
||||
text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: 5.2
|
||||
text: "DISA Category Code II"
|
||||
checks:
|
||||
- id: V-242376
|
||||
text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242377
|
||||
text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242378
|
||||
text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242379
|
||||
text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242380
|
||||
text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242382
|
||||
text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242384
|
||||
text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242385
|
||||
text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242389
|
||||
text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242401
|
||||
text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242402
|
||||
text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242403
|
||||
text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242405
|
||||
text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242408
|
||||
text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242409
|
||||
text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242410
|
||||
text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242411
|
||||
text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242412
|
||||
text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242413
|
||||
text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242418
|
||||
text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242419
|
||||
text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242420
|
||||
text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242421
|
||||
text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242422
|
||||
text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242423
|
||||
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242424
|
||||
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242425
|
||||
text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242426
|
||||
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242427
|
||||
text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242428
|
||||
text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242429
|
||||
text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242430
|
||||
text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242431
|
||||
text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242432
|
||||
text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242433
|
||||
text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242438
|
||||
text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242444
|
||||
text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242445
|
||||
text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242446
|
||||
text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242447
|
||||
text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242448
|
||||
text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242449
|
||||
text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242450
|
||||
text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242451
|
||||
text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242452
|
||||
text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242453
|
||||
text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242454
|
||||
text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242455
|
||||
text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242456
|
||||
text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242457
|
||||
text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242458
|
||||
text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242459
|
||||
text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242460
|
||||
text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242466
|
||||
text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242467
|
||||
text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-242468
|
||||
text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-245541
|
||||
text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-245543
|
||||
text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane"
|
||||
type: "skip"
|
||||
|
||||
- id: V-245544
|
||||
text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane"
|
||||
type: "skip"
|
6
cfg/eks-stig-kubernetes-v1r6/master.yaml
Normal file
6
cfg/eks-stig-kubernetes-v1r6/master.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-stig-kubernetes-v1r6"
|
||||
id: 1
|
||||
text: "Control Plane Components"
|
||||
type: "master"
|
287
cfg/eks-stig-kubernetes-v1r6/node.yaml
Normal file
287
cfg/eks-stig-kubernetes-v1r6/node.yaml
Normal file
@ -0,0 +1,287 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-stig-kubernetes-v1r6"
|
||||
id: 3
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
groups:
|
||||
- id: 3.1
|
||||
text: "DISA Category Code I"
|
||||
checks:
|
||||
- id: V-242387 # CIS 3.2.4
|
||||
text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--read-only-port"
|
||||
path: '{.readOnlyPort}'
|
||||
set: true
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--read-only-port=0
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: false
|
||||
- id: V-242391 # CIS 3.2.1
|
||||
text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
path: '{.authentication.anonymous.enabled}'
|
||||
set: true
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
|
||||
false.
|
||||
If using executable arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--anonymous-auth=false
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242392 # CIS 3.2.2
|
||||
text: "The Kubernetes kubelet must enable explicit authorization (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: --authorization-mode
|
||||
path: '{.authorization.mode}'
|
||||
set: true
|
||||
compare:
|
||||
op: nothave
|
||||
value: AlwaysAllow
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
|
||||
using executable arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
||||
--authorization-mode=Webhook
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242397
|
||||
text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- path: '{.staticPodPath}'
|
||||
set: false
|
||||
remediation: |
|
||||
Edit $kubeletconf on each node to to remove the staticPodPath
|
||||
Based on your system, restart the kubelet service. For example,
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242415
|
||||
text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Run the following command:
|
||||
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
|
||||
If any of the values returned reference environment variables
|
||||
rewrite application code to read secrets from mounted secret files, rather than
|
||||
from environment variables.
|
||||
scored: false
|
||||
- id: V-242434 # CIS 3.2.6
|
||||
text: "Kubernetes Kubelet must enable kernel protection (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: --protect-kernel-defaults
|
||||
path: '{.protectKernelDefaults}'
|
||||
set: true
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--protect-kernel-defaults=true
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242435
|
||||
text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: --authorization-mode
|
||||
path: '{.authorization.mode}'
|
||||
set: true
|
||||
compare:
|
||||
op: nothave
|
||||
value: AlwaysAllow
|
||||
remediation: |
|
||||
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
|
||||
using executable arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
||||
--authorization-mode=Webhook
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242393
|
||||
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
|
||||
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: ActiveState
|
||||
compare:
|
||||
op: eq
|
||||
value: inactive
|
||||
remediation: |
|
||||
To stop the sshd service, run the command: systemctl stop sshd
|
||||
scored: true
|
||||
- id: V-242394
|
||||
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
|
||||
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "disabled"
|
||||
remediation: |
|
||||
To disable the sshd service, run the command:
|
||||
chkconfig sshd off
|
||||
scored: true
|
||||
- id: V-242395
|
||||
text: "Kubernetes dashboard must not be enabled. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
|
||||
If any resources are returned, this is a finding.
|
||||
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
|
||||
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
|
||||
scored: false
|
||||
- id: V-242398
|
||||
text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--feature-gates"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "DynamicAuditing=true"
|
||||
set: true
|
||||
- flag: "--feature-gates"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit any manifest files or kubelet config files that contain the feature-gates
|
||||
setting with DynamicAuditing set to "true".
|
||||
Set the flag to "false" or remove the "DynamicAuditing" setting
|
||||
completely. Restart the kubelet service if the kubelet config file
|
||||
if the kubelet config file is changed.
|
||||
scored: true
|
||||
- id: V-242399
|
||||
text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--feature-gates"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "DynamicKubeletConfig=true"
|
||||
set: true
|
||||
- flag: "--feature-gates"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit any manifest files or $kubeletconf that contain the feature-gates
|
||||
setting with DynamicKubeletConfig set to "true".
|
||||
Set the flag to "false" or remove the "DynamicKubeletConfig" setting
|
||||
completely. Restart the kubelet service if the kubelet config file
|
||||
if the kubelet config file is changed.
|
||||
scored: true
|
||||
- id: V-242404 # CIS 3.2.8
|
||||
text: "Kubernetes Kubelet must deny hostname override (Automated)"
|
||||
# This is one of those properties that can only be set as a command line argument.
|
||||
# To check if the property is set as expected, we need to parse the kubelet command
|
||||
# instead reading the Kubelet Configuration file.
|
||||
audit: "/bin/ps -fC $kubeletbin "
|
||||
tests:
|
||||
test_items:
|
||||
- flag: --hostname-override
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletbin
|
||||
on each worker node and remove the --hostname-override argument from the
|
||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
- id: V-242406
|
||||
text: "The Kubernetes kubelet configuration file must be owned by root (Automated)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: root:root
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chown root:root $kubeletkubeconfig
|
||||
scored: true
|
||||
- id: V-242407
|
||||
text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
remediation: |
|
||||
Run the following command (using the config file location identified in the Audit step)
|
||||
chmod 644 $kubeletconf
|
||||
scored: true
|
||||
- id: V-242414
|
||||
text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
For any of the pods that are using ports below 1024,
|
||||
reconfigure the pod to use a service to map a host non-privileged
|
||||
port to the pod port or reconfigure the image to use non-privileged ports.
|
||||
scored: false
|
||||
- id: V-242442
|
||||
text: "Kubernetes must remove old components after updated versions have been installed. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
To view all pods and the images used to create the pods, from the Master node, run the following command:
|
||||
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
|
||||
tr -s '[[:space:]]' '\n' | \
|
||||
sort | \
|
||||
uniq -c
|
||||
Review the images used for pods running within Kubernetes.
|
||||
Remove any old pods that are using older images.
|
||||
scored: false
|
||||
- id: V-242396
|
||||
text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
|
||||
Upgrade the Master and Worker nodes to the latest version of kubectl.
|
||||
scored: false
|
33
cfg/eks-stig-kubernetes-v1r6/policies.yaml
Normal file
33
cfg/eks-stig-kubernetes-v1r6/policies.yaml
Normal file
@ -0,0 +1,33 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-stig-kubernetes-v1r6"
|
||||
id: 4
|
||||
text: "Policies"
|
||||
type: "policies"
|
||||
groups:
|
||||
- id: 4.1
|
||||
text: "Policies - DISA Category Code I"
|
||||
checks:
|
||||
- id: V-242381
|
||||
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
to the Kubernetes API server.
|
||||
Modify the configuration of each default service account to include this value
|
||||
automountServiceAccountToken: false
|
||||
scored: false
|
||||
|
||||
- id: V-242383
|
||||
text: "User-managed resources must be created in dedicated namespaces. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
|
||||
scored: false
|
||||
|
||||
- id: V-242417
|
||||
text: "Kubernetes must separate user functionality. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
|
||||
scored: false
|
@ -27,4 +27,10 @@ The following table shows the valid targets based on the CIS Benchmark version.
|
||||
| rh-0.7 | master,node|
|
||||
| rh-1.0 | master, controlplane, node, etcd, policies |
|
||||
|
||||
The following table shows the valid DISA STIG versions
|
||||
|
||||
| STIG | Targets |
|
||||
|----------------------------|---------|
|
||||
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |
|
||||
|
||||
|
||||
|
@ -2,7 +2,10 @@
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
kube-bench supports running tests for Kubernetes.
|
||||
Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
|
||||
Most of our supported benchmarks are defined in one of the following:
|
||||
[CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
|
||||
[STIG Document Library](https://public.cyber.mil/stigs/downloads)
|
||||
|
||||
Some defined by other hardenening guides.
|
||||
|
||||
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|
||||
@ -18,3 +21,4 @@ Some defined by other hardenening guides.
|
||||
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
|
||||
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
||||
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
|
||||
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |
|
||||
|
@ -77,7 +77,7 @@ docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
|
||||
```
|
||||
kube-bench cannot be run on AKS master nodes
|
||||
|
||||
### Running in an EKS cluster
|
||||
### Running CIS benchmark in an EKS cluster
|
||||
|
||||
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
|
||||
|
||||
@ -103,6 +103,31 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
|
||||
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
|
||||
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
|
||||
|
||||
### Running DISA STIG in an EKS cluster
|
||||
|
||||
There is a `job-eks-stig.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
|
||||
|
||||
1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide*
|
||||
- Information on configuring `eksctl`, `kubectl` and the AWS CLI is within
|
||||
2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image
|
||||
```
|
||||
aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
|
||||
```
|
||||
3. Download, build and push the kube-bench container image to your ECR repo
|
||||
```
|
||||
git clone https://github.com/aquasecurity/kube-bench.git
|
||||
cd kube-bench
|
||||
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
|
||||
docker build -t k8s/kube-bench .
|
||||
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
|
||||
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
|
||||
```
|
||||
4. Copy the URI of your pushed image, the URI format is like this: `<AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest`
|
||||
5. Replace the `image` value in `job-eks-stig.yaml` with the URI from Step 4
|
||||
6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks-stig.yaml`
|
||||
7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces`
|
||||
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
|
||||
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
|
||||
|
||||
### Running on OpenShift
|
||||
|
||||
|
56
hack/kind-stig.test.yaml
Normal file
56
hack/kind-stig.test.yaml
Normal file
@ -0,0 +1,56 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: kube-bench
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: kube-bench
|
||||
image: docker.io/aquasec/kube-bench:latest
|
||||
command: [
|
||||
"kube-bench",
|
||||
"run",
|
||||
"--benchmark",
|
||||
"eks-stig-kubernetes-v1r6",
|
||||
]
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/local/mount-from-host/bin
|
||||
- name: kind-bin
|
||||
mountPath: /kind/bin
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: "/var/lib/etcd"
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
||||
- name: kind-bin
|
||||
hostPath:
|
||||
path: "/kind/bin"
|
56
hack/kind-stig.yaml
Normal file
56
hack/kind-stig.yaml
Normal file
@ -0,0 +1,56 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: kube-bench
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: kube-bench
|
||||
image: docker.io/aquasec/kube-bench:${VERSION}
|
||||
command: [
|
||||
"kube-bench",
|
||||
"run",
|
||||
"--benchmark",
|
||||
"eks-stig-kubernetes-v1r6",
|
||||
]
|
||||
volumeMounts:
|
||||
- name: var-lib-etcd
|
||||
mountPath: /var/lib/etcd
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
|
||||
# You can omit this mount if you specify --version as part of the command.
|
||||
- name: usr-bin
|
||||
mountPath: /usr/local/mount-from-host/bin
|
||||
- name: kind-bin
|
||||
mountPath: /kind/bin
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-etcd
|
||||
hostPath:
|
||||
path: "/var/lib/etcd"
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
||||
- name: usr-bin
|
||||
hostPath:
|
||||
path: "/usr/bin"
|
||||
- name: kind-bin
|
||||
hostPath:
|
||||
path: "/kind/bin"
|
266
integration/testdata/Expected_output_stig.data
vendored
Normal file
266
integration/testdata/Expected_output_stig.data
vendored
Normal file
@ -0,0 +1,266 @@
|
||||
[INFO] 1 Control Plane Components
|
||||
|
||||
== Summary master ==
|
||||
0 checks PASS
|
||||
0 checks FAIL
|
||||
0 checks WARN
|
||||
0 checks INFO
|
||||
|
||||
[INFO] 2 Control Plane Configuration
|
||||
[INFO] 2.1 DISA Category Code I
|
||||
[FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated)
|
||||
[FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated)
|
||||
[INFO] 2.2 DISA Category Code II
|
||||
[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
|
||||
[WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual)
|
||||
[WARN] V-242403 Kubernetes API Server must generate audit records (Manual)
|
||||
[WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual)
|
||||
[WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual)
|
||||
[WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual)
|
||||
[WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual)
|
||||
[WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual)
|
||||
[WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)
|
||||
|
||||
== Remediations controlplane ==
|
||||
V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
|
||||
false.
|
||||
If using executable arguments, edit the kubelet service file
|
||||
$kubeletsvc on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--anonymous-auth=false
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
|
||||
V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates
|
||||
setting with AllAlpha set to "true".
|
||||
Set the flag to "false" or remove the "AllAlpha" setting
|
||||
completely. Restart the kubelet service if the kubelet config file
|
||||
if the kubelet config file is changed.
|
||||
|
||||
V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
to the Kubernetes API server.
|
||||
Modify the configuration of each default service account to include this value
|
||||
automountServiceAccountToken: false
|
||||
|
||||
V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
|
||||
|
||||
V-242443 Upgrade Kubernetes to a supported version.
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
|
||||
|
||||
|
||||
== Summary controlplane ==
|
||||
0 checks PASS
|
||||
2 checks FAIL
|
||||
9 checks WARN
|
||||
0 checks INFO
|
||||
|
||||
[INFO] 3 Worker Node Security Configuration
|
||||
[INFO] 3.1 DISA Category Code I
|
||||
[WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual)
|
||||
[PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated)
|
||||
[PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated)
|
||||
[FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated)
|
||||
[WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual)
|
||||
[FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated)
|
||||
[PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated)
|
||||
[FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated)
|
||||
[FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)
|
||||
[WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual)
|
||||
[PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated)
|
||||
[PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated)
|
||||
[PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated)
|
||||
[PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated)
|
||||
[PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)
|
||||
[WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)
|
||||
[WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual)
|
||||
[WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual)
|
||||
|
||||
== Remediations node ==
|
||||
V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--read-only-port=0
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
|
||||
V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath
|
||||
Based on your system, restart the kubelet service. For example,
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
|
||||
V-242415 Run the following command:
|
||||
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
|
||||
If any of the values returned reference environment variables
|
||||
rewrite application code to read secrets from mounted secret files, rather than
|
||||
from environment variables.
|
||||
|
||||
V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--protect-kernel-defaults=true
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
|
||||
V-242393 To stop the sshd service, run the command: systemctl stop sshd
|
||||
|
||||
V-242394 To disable the sshd service, run the command:
|
||||
chkconfig sshd off
|
||||
|
||||
V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
|
||||
If any resources are returned, this is a finding.
|
||||
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
|
||||
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
|
||||
|
||||
V-242414 For any of the pods that are using ports below 1024,
|
||||
reconfigure the pod to use a service to map a host non-privileged
|
||||
port to the pod port or reconfigure the image to use non-privileged ports.
|
||||
|
||||
V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command:
|
||||
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
|
||||
tr -s '[[:space:]]' '\n' | \
|
||||
sort | \
|
||||
uniq -c
|
||||
Review the images used for pods running within Kubernetes.
|
||||
Remove any old pods that are using older images.
|
||||
|
||||
V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
|
||||
Upgrade the Master and Worker nodes to the latest version of kubectl.
|
||||
|
||||
|
||||
== Summary node ==
|
||||
8 checks PASS
|
||||
4 checks FAIL
|
||||
6 checks WARN
|
||||
0 checks INFO
|
||||
|
||||
[INFO] 4 Policies
|
||||
[INFO] 4.1 Policies - DISA Category Code I
|
||||
[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
|
||||
[WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual)
|
||||
[WARN] V-242417 Kubernetes must separate user functionality. (Manual)
|
||||
|
||||
== Remediations policies ==
|
||||
V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
to the Kubernetes API server.
|
||||
Modify the configuration of each default service account to include this value
|
||||
automountServiceAccountToken: false
|
||||
|
||||
V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
|
||||
|
||||
V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
|
||||
|
||||
|
||||
== Summary policies ==
|
||||
0 checks PASS
|
||||
0 checks FAIL
|
||||
3 checks WARN
|
||||
0 checks INFO
|
||||
|
||||
[INFO] 5 Managed Services
|
||||
[INFO] 5.1 DISA Category Code I
|
||||
[INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane
|
||||
[INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane
|
||||
[WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)
|
||||
[INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane
|
||||
[INFO] 5.2 DISA Category Code II
|
||||
[INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane
|
||||
[INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane
|
||||
[INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane
|
||||
[INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
|
||||
[INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
|
||||
[INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane
|
||||
[INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane
|
||||
[INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane
|
||||
[INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane
|
||||
[INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane
|
||||
[INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane
|
||||
[INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane
|
||||
[INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane
|
||||
[INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane
|
||||
[INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
|
||||
[INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
|
||||
[INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
|
||||
[INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
|
||||
[INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane
|
||||
[INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane
|
||||
[INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane
|
||||
[INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane
|
||||
[INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane
|
||||
[INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
|
||||
[INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
|
||||
[INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane
|
||||
[INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
|
||||
[INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
|
||||
[INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
|
||||
[INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane
|
||||
[INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
|
||||
[INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
|
||||
[INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane
|
||||
[INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane
|
||||
[INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane
|
||||
[INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane
|
||||
[INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
|
||||
[INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane
|
||||
[INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane
|
||||
[INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane
|
||||
[INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane
|
||||
[INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane
|
||||
|
||||
== Remediations managedservices ==
|
||||
V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
|
||||
Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
|
||||
|
||||
|
||||
== Summary managedservices ==
|
||||
0 checks PASS
|
||||
0 checks FAIL
|
||||
1 checks WARN
|
||||
62 checks INFO
|
||||
|
||||
== Summary total ==
|
||||
8 checks PASS
|
||||
6 checks FAIL
|
||||
19 checks WARN
|
||||
62 checks INFO
|
||||
|
43
job-eks-stig.yaml
Normal file
43
job-eks-stig.yaml
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: kube-bench
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
hostPID: true
|
||||
containers:
|
||||
- name: kube-bench
|
||||
# Push the image to your ECR and then refer to it here
|
||||
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
||||
image: docker.io/aquasec/kube-bench:latest
|
||||
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
|
||||
command:
|
||||
[
|
||||
"kube-bench",
|
||||
"run",
|
||||
"--benchmark",
|
||||
"eks-stig-kubernetes-v1r6",
|
||||
]
|
||||
volumeMounts:
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
readOnly: true
|
||||
- name: etc-systemd
|
||||
mountPath: /etc/systemd
|
||||
readOnly: true
|
||||
- name: etc-kubernetes
|
||||
mountPath: /etc/kubernetes
|
||||
readOnly: true
|
||||
restartPolicy: Never
|
||||
volumes:
|
||||
- name: var-lib-kubelet
|
||||
hostPath:
|
||||
path: "/var/lib/kubelet"
|
||||
- name: etc-systemd
|
||||
hostPath:
|
||||
path: "/etc/systemd"
|
||||
- name: etc-kubernetes
|
||||
hostPath:
|
||||
path: "/etc/kubernetes"
|
12
makefile
12
makefile
@ -78,3 +78,15 @@ kind-run: kind-push
|
||||
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
|
||||
kubectl logs job/kube-bench > ./test.data && \
|
||||
diff ./test.data integration/testdata/Expected_output.data
|
||||
|
||||
kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench"
|
||||
kind-run-stig: kind-push
|
||||
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml
|
||||
kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
|
||||
-KUBECONFIG=$(KUBECONFIG) \
|
||||
kubectl delete job kube-bench
|
||||
KUBECONFIG=$(KUBECONFIG) \
|
||||
kubectl apply -f ./hack/kind-stig.test.yaml && \
|
||||
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
|
||||
kubectl logs job/kube-bench > ./test.data && \
|
||||
diff ./test.data integration/testdata/Expected_output_stig.data
|
||||
|
Loading…
Reference in New Issue
Block a user