mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-01-20 12:41:03 +00:00
3e3aa0ed82
Kubelet option --streaming-connection-idle-timeout expects a string value which fails parsing to integer for greater than comparison. The string "0" indicates no timeout and this is what we are checking for.
370 lines
13 KiB
YAML
370 lines
13 KiB
YAML
---
|
|
controls:
|
|
id: 2
|
|
text: "Worker Node Security Configuration"
|
|
type: "node"
|
|
groups:
|
|
- id: 2.1
|
|
text: "Kubelet"
|
|
checks:
|
|
- id: 2.1.1
|
|
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--allow-privileged"
|
|
compare:
|
|
op: eq
|
|
value: false
|
|
set: true
|
|
remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV
|
|
parameter to \"--allow-privileged=false\""
|
|
scored: true
|
|
|
|
- id: 2.1.2
|
|
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--anonymous-auth"
|
|
compare:
|
|
op: eq
|
|
value: false
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on the master node and set the
|
|
KUBELET_ARGS parameter to \"--anonymous-auth=false\""
|
|
scored: true
|
|
|
|
- id: 2.1.3
|
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--authorization-mode"
|
|
compare:
|
|
op: nothave
|
|
value: "AlwaysAllow"
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the
|
|
KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
|
|
scored: true
|
|
|
|
- id: 2.1.4
|
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--client-ca-file"
|
|
set: true
|
|
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
|
the apiserver and kubelets. Then, edit the $kubeletconf file on each node
|
|
and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
|
|
scored: true
|
|
|
|
- id: 2.1.5
|
|
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--read-only-port"
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
|
parameter to \"--read-only-port=0\""
|
|
scored: true
|
|
|
|
- id: 2.1.6
|
|
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "--streaming-connection-idle-timeout"
|
|
compare:
|
|
op: noteq
|
|
value: 0
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
|
parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
|
|
scored: true
|
|
|
|
- id: 2.1.7
|
|
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--protect-kernel-defaults"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
|
parameter to \"--protect-kernel-defaults=true\""
|
|
scored: true
|
|
|
|
- id: 2.1.8
|
|
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "--make-iptables-util-chains"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
set: true
|
|
- flag: "--make-iptables-util-chains"
|
|
set: false
|
|
remediation: "Edit the $kubeletconf file on each node and remove the
|
|
--make-iptables-util-chains argument from the KUBELET_ARGS parameter."
|
|
scored: true
|
|
|
|
- id: 2.1.9
|
|
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--keep-terminated-pod-volumes"
|
|
compare:
|
|
op: eq
|
|
value: false
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
|
parameter to \"--keep-terminated-pod-volumes=false\""
|
|
scored: true
|
|
|
|
- id: 2.1.10
|
|
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--hostname-override"
|
|
set: false
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME
|
|
parameter to \"\""
|
|
scored: true
|
|
|
|
- id: 2.1.11
|
|
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--event-qps"
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
|
parameter to \"--event-qps=0\""
|
|
scored: true
|
|
|
|
- id: 2.1.12
|
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--tls-cert-file"
|
|
set: true
|
|
- flag: "--tls-private-key-file"
|
|
set: true
|
|
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
|
|
Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS
|
|
parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
|
|
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
|
scored: true
|
|
|
|
- id: 2.1.13
|
|
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "--cadvisor-port"
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
set: true
|
|
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
|
|
to \"--cadvisor-port=0\""
|
|
scored: true
|
|
|
|
- id: 2.1.14
|
|
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "RotateKubeletClientCertificate"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
set: true
|
|
remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter
|
|
to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
|
|
scored: true
|
|
|
|
- id: 2.1.15
|
|
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
tests:
|
|
test_items:
|
|
- flag: "RotateKubeletServerCertificate"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
set: true
|
|
remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter
|
|
to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
|
|
scored: true
|
|
|
|
- id: 2.2
|
|
text: "Configuration Files"
|
|
checks:
|
|
- id: 2.2.1
|
|
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "644"
|
|
compare:
|
|
op: eq
|
|
value: "644"
|
|
set: true
|
|
- flag: "640"
|
|
compare:
|
|
op: eq
|
|
value: "640"
|
|
set: true
|
|
- flag: "600"
|
|
compare:
|
|
op: eq
|
|
value: "600"
|
|
set: true
|
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
|
\nFor example, chmod 644 $config"
|
|
scored: true
|
|
|
|
- id: 2.2.2
|
|
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
|
tests:
|
|
test_items:
|
|
- flag: "root:root"
|
|
compare:
|
|
op: eq
|
|
value: root:root
|
|
set: true
|
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
|
\nFor example, chown root:root $config"
|
|
scored: true
|
|
|
|
- id: 2.2.3
|
|
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "644"
|
|
compare:
|
|
op: eq
|
|
value: 644
|
|
set: true
|
|
- flag: "640"
|
|
compare:
|
|
op: eq
|
|
value: "640"
|
|
set: true
|
|
- flag: "600"
|
|
compare:
|
|
op: eq
|
|
value: "600"
|
|
set: true
|
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
|
\nFor example, chmod 644 $kubeletconf"
|
|
scored: true
|
|
|
|
- id: 2.2.4
|
|
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
|
tests:
|
|
test_items:
|
|
- flag: "root:root"
|
|
set: true
|
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
|
\nFor example, chown root:root $kubeletconf"
|
|
scored: true
|
|
|
|
- id: 2.2.5
|
|
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "644"
|
|
compare:
|
|
op: eq
|
|
value: "644"
|
|
set: true
|
|
- flag: "640"
|
|
compare:
|
|
op: eq
|
|
value: "640"
|
|
set: true
|
|
- flag: "600"
|
|
compare:
|
|
op: eq
|
|
value: "600"
|
|
set: true
|
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
|
\nFor example, chmod 644 $proxyconf"
|
|
scored: true
|
|
|
|
- id: 2.2.6
|
|
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
|
tests:
|
|
test_items:
|
|
- flag: "root:root"
|
|
set: true
|
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
|
\nFor example, chown root:root $proxyconf"
|
|
scored: true
|
|
|
|
- id: 2.2.7
|
|
text: "Ensure that the certificate authorities file permissions are set to
|
|
644 or more restrictive (Scored)"
|
|
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "644"
|
|
compare:
|
|
op: eq
|
|
value: "644"
|
|
set: true
|
|
- flag: "640"
|
|
compare:
|
|
op: eq
|
|
value: "640"
|
|
set: true
|
|
- flag: "600"
|
|
compare:
|
|
op: eq
|
|
value: "600"
|
|
set: true
|
|
remediation: "Run the following command to modify the file permissions of the --client-ca-file
|
|
\nchmod 644 <filename>"
|
|
scored: true
|
|
|
|
- id: 2.2.8
|
|
text: "Ensure that the client certificate authorities file ownership is set to root:root"
|
|
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
|
|
tests:
|
|
test_items:
|
|
- flag: "notexist:notexist"
|
|
set: true
|
|
remediation: "Run the following command to modify the ownership of the --client-ca-file.
|
|
\nchown root:root <filename>"
|
|
scored: true
|