arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-06-07 00:28:49 +00:00
Code Issues Releases Wiki Activity

Making lots of progress

Browse Source
This commit is contained in:
Carter Williamson 2025-03-14 15:43:21 -07:00
parent 82ebcac31f
commit db6528ab80
8 changed files with 119 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
cfg/gke-stig-kubernetes-v2r2/controlplane.yaml
View File

@ -8,54 +8,12 @@ groups:
- id: 2.1 - id: 2.1
text: "DISA Category Code I - API Server Security" text: "DISA Category Code I - API Server Security"
checks: checks:
- id: V-242378
text: "The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination."
audit: "grep -i tls-min-version /etc/kubernetes/manifests/kube-apiserver.yaml"
tests:
test_items:
- flag: "--tls-min-version"
compare:
op: nothave
value: "VersionTLS10"
- flag: "--tls-min-version"
compare:
op: nothave
value: "VersionTLS11"
remediation: |
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the value of "--tls-min-version" to "VersionTLS12" or higher.
scored: true
- id: V-242388
text: "The Kubernetes API server must not have the insecure bind address set."
audit: "grep -i insecure-bind-address /etc/kubernetes/manifests/kube-apiserver.yaml"
tests:
test_items:
- flag: "--insecure-bind-address"
set: false
remediation: |
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Remove the value of "--insecure-bind-address" setting.
scored: true
- id: V-242389
text: "The Kubernetes API server must have the secure port set."
audit: "grep -i secure-port /etc/kubernetes/manifests/kube-apiserver.yaml"
tests:
test_items:
- flag: "--secure-port"
compare:
op: gt
value: "0"
remediation: |
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the value of "--secure-port" to a value greater than "0".
scored: true
- id: V-242390 # Similar to CIS 3.2.1 - id: V-242390 # Similar to CIS 3.2.1
text: "The Kubernetes API server must have anonymous authentication disabled (Automated)" text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC kubelet"
audit_config: "/bin/cat $kubeletconf" # audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat /etc/kubernetes/kubelet-config.yaml"
# audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -116,32 +74,23 @@ groups:
- id: 2.2 - id: 2.2
text: "DISA Category Code II - Controller Manager Security" text: "DISA Category Code II - Controller Manager Security"
checks: checks:
- id: V-242381 # - id: V-242376
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)" # text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination."
type: "manual" # audit: "grep -i tls-min-version /etc/kubernetes/manifests/kube-controller-manager.yaml"
remediation: | # tests:
Create explicit service accounts wherever a Kubernetes workload requires specific access # test_items:
to the Kubernetes API server. # - flag: "--tls-min-version"
Modify the configuration of each default service account to include this value # compare:
automountServiceAccountToken: false # op: nothave
scored: false # value: "VersionTLS10"
- id: V-242376 # - flag: "--tls-min-version"
text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination." # compare:
audit: "grep -i tls-min-version /etc/kubernetes/manifests/kube-controller-manager.yaml" # op: nothave
tests: # value: "VersionTLS11"
test_items: # remediation: |
- flag: "--tls-min-version" # Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
compare: # Set the value of "--tls-min-version" to "VersionTLS12" or higher.
op: nothave
value: "VersionTLS10"
- flag: "--tls-min-version"
compare:
op: nothave
value: "VersionTLS11"
remediation: |
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the value of "--tls-min-version" to "VersionTLS12" or higher.
scored: true
- id: V-242443 - id: V-242443
text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)" text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
type: "manual" type: "manual"

95
cfg/gke-stig-kubernetes-v2r2/managedservices.yaml
View File

@ -8,42 +8,13 @@ groups:
- id: 5.1 - id: 5.1
text: "DISA Category Code I" text: "DISA Category Code I"
checks: checks:
# TODO: Validate this one
- id: V-242386 - id: V-242386
text: "The Kubernetes API server must have the insecure port flag disabled." text: "The Kubernetes API server must have the insecure port flag disabled | Component of GKE Control Plane"
audit: "grep -i insecure-port /etc/kubernetes/manifests/kube-apiserver.yaml" type: "skip"
tests:
test_items:
- flag: "--insecure-port"
compare:
op: eq
value: "0"
remediation: |
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the value of "--insecure-port" to "0".
Note: The "--insecure-port" flag has been deprecated and can only be set to "0". This flag will be removed in Kubernetes v1.24.
scored: false
# - id: V-242386
# text: "The Kubernetes API server must have the insecure port flag disabled | Component of GKE Control Plane"
# type: "skip"
# TODO: Validate this one
- id: V-242388 - id: V-242388
text: "The Kubernetes API server must not have the insecure bind address set." text: "The Kubernetes API server must have the insecure bind address not set | Component of GKE Control Plane"
audit: "grep -i insecure-bind-address /etc/kubernetes/manifests/kube-apiserver.yaml" type: "skip"
tests:
test_items:
- flag: "--insecure-bind-address"
set: false
remediation: |
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Remove the value of "--insecure-bind-address" setting.
scored: false
# - id: V-242388
# text: "The Kubernetes API server must have the insecure bind address not set | Component of GKE Control Plane"
# type: "skip"
# TODO Verify this one (can't find it like on the aws side https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html) # TODO Verify this one (can't find it like on the aws side https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html)
- id: V-242436 - id: V-242436
@ -101,63 +72,17 @@ groups:
text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of GKE Control Plane" text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of GKE Control Plane"
type: "skip" type: "skip"
# TODO: Move to controlplane if this works in GKE
- id: V-242384 - id: V-242384
text: "The Kubernetes Scheduler must have secure binding." text: "The Kubernetes Scheduler must have secure binding | Component of GKE Control Plane"
audit: "grep -i bind-address /etc/kubernetes/manifests/kube-scheduler.yaml" type: "skip"
tests:
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
remediation: |
Edit the Kubernetes Scheduler manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the argument "--bind-address" to "127.0.0.1".
scored: false
# - id: V-242384
# text: "The Kubernetes Scheduler must have secure binding | Component of GKE Control Plane"
# type: "skip"
# TODO: Move to controlplane if this works in GKE
- id: V-242385 - id: V-242385
text: "The Kubernetes Controller Manager must have secure binding." text: "The Kubernetes Controller Manager must have secure binding | Component of GKE Control Plane"
audit: "grep -i bind-address /etc/kubernetes/manifests/kube-controller-manager.yaml" type: "skip"
tests:
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
remediation: |
Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the argument "--bind-address" to "127.0.0.1".
scored: false
# - id: V-242385
# text: "The Kubernetes Controller Manager must have secure binding | Component of GKE Control Plane"
# type: "skip"
# TODO: Move to controlplane if this works in GKE
- id: V-242389 - id: V-242389
text: "The Kubernetes API server must have the secure port set." text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane"
audit: "grep -i secure-port /etc/kubernetes/manifests/kube-apiserver.yaml" type: "skip"
tests:
test_items:
- flag: "--secure-port"
compare:
op: gt
value: "0"
remediation: |
Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Control Plane.
Set the value of "--secure-port" to a value greater than "0".
scored: false
# - id: V-242389
# text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane"
# type: "skip"
# TODO: Didn't actually see this one in the k8s stig file # TODO: Didn't actually see this one in the k8s stig file
# - id: V-242401 # - id: V-242401

106
cfg/gke-stig-kubernetes-v2r2/node.yaml
View File

@ -157,31 +157,9 @@ groups:
systemctl restart kubelet.service systemctl restart kubelet.service
systemctl status kubelet -l systemctl status kubelet -l
scored: true scored: true
# TODO Verify this, low confidence this will work
- id: V-242393
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
tests:
test_items:
- flag: ActiveState
compare:
op: eq
value: inactive
remediation: |
To stop the sshd service, run the command: systemctl stop sshd
scored: true
# TODO Verify this, low confidence this will work
- id: V-242394
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
tests:
test_items:
- flag: "disabled"
remediation: |
To disable the sshd service, run the command:
chkconfig sshd off
scored: true
# TODO: Verify this, probably requires rbac permissions using kubectl # TODO: Verify this, probably requires rbac permissions using kubectl
# This needs proper permissions set, TODO!!
- id: V-242395 - id: V-242395
text: "Kubernetes dashboard must not be enabled." text: "Kubernetes dashboard must not be enabled."
audit: "kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard" audit: "kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard"
@ -193,7 +171,8 @@ groups:
Delete the Kubernetes dashboard deployment with the following command: Delete the Kubernetes dashboard deployment with the following command:
kubectl delete deployment kubernetes-dashboard --namespace=kube-system kubectl delete deployment kubernetes-dashboard --namespace=kube-system
scored: true scored: true
# TODO This could be automated, but requires a little more effort or adding jq to the docker image
# TODO This could be automated, but requires a little more effort or adding jq to the docker image
# maybe test path will work # maybe test path will work
- id: V-242396 - id: V-242396
text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)" text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
@ -202,20 +181,24 @@ groups:
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
Upgrade the Master and Worker nodes to the latest version of kubectl. Upgrade the Master and Worker nodes to the latest version of kubectl.
scored: false scored: false
- id: V-242397 - id: V-242397
text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)" text: "The Kubernetes kubelet staticPodPath must not enable static pods."
audit: "/bin/ps -fC $kubeletbin" audit: "ps -ef | grep $kubeletbin | grep -- --config"
audit_config: "/bin/cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "staticPodPath"
set: false
- path: '{.staticPodPath}' - path: '{.staticPodPath}'
set: false set: false
remediation: | remediation: |
Edit $kubeletconf on each node to to remove the staticPodPath Edit the Kubernetes kubelet configuration file.
Based on your system, restart the kubelet service. For example, Remove the setting "staticPodPath".
systemctl daemon-reload Restart the kubelet service using:
systemctl restart kubelet.service systemctl daemon-reload && systemctl restart kubelet
scored: true scored: true
- id: V-242398 - id: V-242398
text: "Kubernetes DynamicAuditing must not be enabled. (Automated)" text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
@ -351,41 +334,25 @@ groups:
- id: 3.2 - id: 3.2
text: "DISA Category Code II - Node Security" text: "DISA Category Code II - Node Security"
checks: checks:
- id: V-242391
text: "The Kubernetes Kubelet must have anonymous authentication disabled."
audit: "ps -ef | grep kubelet | grep -- --anonymous-auth"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: "false"
remediation: |
Edit the Kubernetes Kubelet configuration file.
Set the value of "anonymousAuth" to "false".
Restart the kubelet service using:
systemctl daemon-reload && systemctl restart kubelet
scored: true
- id: V-242392 # TODO Verify this, low confidence this will work
text: "The Kubernetes kubelet must enable explicit authorization." # These both don't work. Might need to be a manual check.
audit: "ps -ef | grep kubelet | grep -- --authorization-mode" - id: V-242393
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: ActiveState
compare: compare:
op: eq op: eq
value: "Webhook" value: inactive
remediation: | remediation: |
Edit the Kubernetes Kubelet configuration file. To stop the sshd service, run the command: systemctl stop sshd
Set the "authorization.mode" to "Webhook".
Restart the kubelet service using:
systemctl daemon-reload && systemctl restart kubelet
scored: true scored: true
- id: V-242393 - id: V-242393
text: "Kubernetes Worker Nodes must not have sshd service running." text: "Kubernetes Worker Nodes must not have sshd service running."
audit: "systemctl status sshd" audit: "/bin/sh -c \"systemctl status sshd\""
tests: tests:
test_items: test_items:
- flag: "sshd" - flag: "sshd"
@ -399,6 +366,18 @@ groups:
systemctl disable sshd systemctl disable sshd
scored: true scored: true
# TODO Verify this, low confidence this will work
# Both of these are not working at the moment
- id: V-242394
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
tests:
test_items:
- flag: "disabled"
remediation: |
To disable the sshd service, run the command:
chkconfig sshd off
scored: true
- id: V-242394 - id: V-242394
text: "Kubernetes Worker Nodes must not have the sshd service enabled." text: "Kubernetes Worker Nodes must not have the sshd service enabled."
audit: "systemctl is-enabled sshd" audit: "systemctl is-enabled sshd"
@ -413,19 +392,6 @@ groups:
systemctl disable sshd systemctl disable sshd
scored: true scored: true
- id: V-242397
text: "The Kubernetes kubelet staticPodPath must not enable static pods."
audit: "ps -ef | grep kubelet | grep -- --config"
tests:
test_items:
- flag: "staticPodPath"
set: false
remediation: |
Edit the Kubernetes kubelet configuration file.
Remove the setting "staticPodPath".
Restart the kubelet service using:
systemctl daemon-reload && systemctl restart kubelet
scored: true
- id: V-242434 # CIS 3.2.6 - id: V-242434 # CIS 3.2.6
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"

1
cfg/gke-stig-kubernetes-v2r2/policies.yaml
View File

@ -24,6 +24,7 @@ groups:
remediation: | remediation: |
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
scored: false scored: false
- id: V-242437 - id: V-242437
text: "Kubernetes must have a pod security policy set." text: "Kubernetes must have a pod security policy set."
audit: "kubectl get podsecuritypolicy" audit: "kubectl get podsecuritypolicy"

2
check/check.go
View File

@ -23,7 +23,7 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
) )
// NodeType indicates the type of node (master, node). // NodeType indicates the type of node (master, node, federated, etcd, controlplane, policies, managedservices).
type NodeType string type NodeType string
// State is the state of a control check. // State is the state of a control check.

4
cmd/root.go
View File

@ -66,8 +66,8 @@ var (
// RootCmd represents the base command when called without any subcommands // RootCmd represents the base command when called without any subcommands
var RootCmd = &cobra.Command{ var RootCmd = &cobra.Command{
Use: os.Args[0], Use: os.Args[0],
Short: "Run CIS Benchmarks checks against a Kubernetes deployment", Short: "Run CIS and STIG Benchmarks checks against a Kubernetes deployment",
Long: `This tool runs the CIS Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`, Long: `This tool runs the CIS and STIG Kubernetes Benchmark (https://www.cisecurity.org/benchmark/kubernetes/)`,
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, getPlatformInfo(), viper.GetViper()) bv, err := getBenchmarkVersion(kubeVersion, benchmarkVersion, getPlatformInfo(), viper.GetViper())
if err != nil { if err != nil {

2
docs/controls.md
View File

@ -57,7 +57,7 @@ the `controls` components have an id and a text description which are displayed
in the `kube-bench` output. in the `kube-bench` output.
`type` specifies what kubernetes node type a `controls` is for. Possible values `type` specifies what kubernetes node type a `controls` is for. Possible values
for `type` are `master` and `node`. for `type` are `[master, node, federated, etcd, controlplane, policies, managedservices]`.
## Groups ## Groups

46
job-gke-stig.yaml Normal file
View File

@ -0,0 +1,46 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
imagePullPolicy: Always
# Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: us-docker.pkg.dev/dev-frm-core/dev-frm/kube-bench:gke-stig
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command:
[
"kube-bench",
"run",
"--benchmark",
"gke-stig-kubernetes-v2r2",
"-v",
"10",
]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"