mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-25 09:28:16 +00:00
a34047c105
* Adding eks-stig-kubernetes-v1r6 * Fixing lint errors * Reformatting texts * Removing pinned docker tag * Updating Expected Stig Output Co-authored-by: EC2 Default User <ec2-user@ip-10-0-44-222.ec2.internal>
288 lines
12 KiB
YAML
288 lines
12 KiB
YAML
---
|
|
controls:
|
|
version: "eks-stig-kubernetes-v1r6"
|
|
id: 3
|
|
text: "Worker Node Security Configuration"
|
|
type: "node"
|
|
groups:
|
|
- id: 3.1
|
|
text: "DISA Category Code I"
|
|
checks:
|
|
- id: V-242387 # CIS 3.2.4
|
|
text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: "--read-only-port"
|
|
path: '{.readOnlyPort}'
|
|
set: true
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
remediation: |
|
|
If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--read-only-port=0
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
- id: V-242391 # CIS 3.2.1
|
|
text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: "--anonymous-auth"
|
|
path: '{.authentication.anonymous.enabled}'
|
|
set: true
|
|
compare:
|
|
op: eq
|
|
value: false
|
|
remediation: |
|
|
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
|
|
false.
|
|
If using executable arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--anonymous-auth=false
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
- id: V-242392 # CIS 3.2.2
|
|
text: "The Kubernetes kubelet must enable explicit authorization (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --authorization-mode
|
|
path: '{.authorization.mode}'
|
|
set: true
|
|
compare:
|
|
op: nothave
|
|
value: AlwaysAllow
|
|
remediation: |
|
|
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
|
|
using executable arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
--authorization-mode=Webhook
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
- id: V-242397
|
|
text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- path: '{.staticPodPath}'
|
|
set: false
|
|
remediation: |
|
|
Edit $kubeletconf on each node to to remove the staticPodPath
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
- id: V-242415
|
|
text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Run the following command:
|
|
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
|
|
If any of the values returned reference environment variables
|
|
rewrite application code to read secrets from mounted secret files, rather than
|
|
from environment variables.
|
|
scored: false
|
|
- id: V-242434 # CIS 3.2.6
|
|
text: "Kubernetes Kubelet must enable kernel protection (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --protect-kernel-defaults
|
|
path: '{.protectKernelDefaults}'
|
|
set: true
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--protect-kernel-defaults=true
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
- id: V-242435
|
|
text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --authorization-mode
|
|
path: '{.authorization.mode}'
|
|
set: true
|
|
compare:
|
|
op: nothave
|
|
value: AlwaysAllow
|
|
remediation: |
|
|
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
|
|
using executable arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
--authorization-mode=Webhook
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
- id: V-242393
|
|
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
|
|
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
|
|
tests:
|
|
test_items:
|
|
- flag: ActiveState
|
|
compare:
|
|
op: eq
|
|
value: inactive
|
|
remediation: |
|
|
To stop the sshd service, run the command: systemctl stop sshd
|
|
scored: true
|
|
- id: V-242394
|
|
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
|
|
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
|
|
tests:
|
|
test_items:
|
|
- flag: "disabled"
|
|
remediation: |
|
|
To disable the sshd service, run the command:
|
|
chkconfig sshd off
|
|
scored: true
|
|
- id: V-242395
|
|
text: "Kubernetes dashboard must not be enabled. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
|
|
If any resources are returned, this is a finding.
|
|
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
|
|
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
|
|
scored: false
|
|
- id: V-242398
|
|
text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "--feature-gates"
|
|
compare:
|
|
op: nothave
|
|
value: "DynamicAuditing=true"
|
|
set: true
|
|
- flag: "--feature-gates"
|
|
set: false
|
|
remediation: |
|
|
Edit any manifest files or kubelet config files that contain the feature-gates
|
|
setting with DynamicAuditing set to "true".
|
|
Set the flag to "false" or remove the "DynamicAuditing" setting
|
|
completely. Restart the kubelet service if the kubelet config file
|
|
if the kubelet config file is changed.
|
|
scored: true
|
|
- id: V-242399
|
|
text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "--feature-gates"
|
|
compare:
|
|
op: nothave
|
|
value: "DynamicKubeletConfig=true"
|
|
set: true
|
|
- flag: "--feature-gates"
|
|
set: false
|
|
remediation: |
|
|
Edit any manifest files or $kubeletconf that contain the feature-gates
|
|
setting with DynamicKubeletConfig set to "true".
|
|
Set the flag to "false" or remove the "DynamicKubeletConfig" setting
|
|
completely. Restart the kubelet service if the kubelet config file
|
|
if the kubelet config file is changed.
|
|
scored: true
|
|
- id: V-242404 # CIS 3.2.8
|
|
text: "Kubernetes Kubelet must deny hostname override (Automated)"
|
|
# This is one of those properties that can only be set as a command line argument.
|
|
# To check if the property is set as expected, we need to parse the kubelet command
|
|
# instead reading the Kubelet Configuration file.
|
|
audit: "/bin/ps -fC $kubeletbin "
|
|
tests:
|
|
test_items:
|
|
- flag: --hostname-override
|
|
set: false
|
|
remediation: |
|
|
Edit the kubelet service file $kubeletbin
|
|
on each worker node and remove the --hostname-override argument from the
|
|
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
- id: V-242406
|
|
text: "The Kubernetes kubelet configuration file must be owned by root (Automated)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: root:root
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example,
|
|
chown root:root $kubeletkubeconfig
|
|
scored: true
|
|
- id: V-242407
|
|
text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: "permissions"
|
|
compare:
|
|
op: bitmask
|
|
value: "644"
|
|
remediation: |
|
|
Run the following command (using the config file location identified in the Audit step)
|
|
chmod 644 $kubeletconf
|
|
scored: true
|
|
- id: V-242414
|
|
text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
For any of the pods that are using ports below 1024,
|
|
reconfigure the pod to use a service to map a host non-privileged
|
|
port to the pod port or reconfigure the image to use non-privileged ports.
|
|
scored: false
|
|
- id: V-242442
|
|
text: "Kubernetes must remove old components after updated versions have been installed. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
To view all pods and the images used to create the pods, from the Master node, run the following command:
|
|
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
|
|
tr -s '[[:space:]]' '\n' | \
|
|
sort | \
|
|
uniq -c
|
|
Review the images used for pods running within Kubernetes.
|
|
Remove any old pods that are using older images.
|
|
scored: false
|
|
- id: V-242396
|
|
text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
|
|
type: "manual"
|
|
remediation: |
|
|
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
|
|
Upgrade the Master and Worker nodes to the latest version of kubectl.
|
|
scored: false
|