github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/ack-1.0/node.yaml (about) 1 --- 2 controls: 3 version: "ack-1.0" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, 23 chmod 644 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 29 tests: 30 bin_op: or 31 test_items: 32 - flag: root:root 33 - flag: "File not found" 34 remediation: | 35 Run the below command (based on the file location on your system) on the each worker node. 36 For example, 37 chown root:root $kubeletsvc 38 scored: true 39 40 - id: 4.1.3 41 text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)" 42 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 43 tests: 44 bin_op: or 45 test_items: 46 - flag: "permissions" 47 compare: 48 op: bitmask 49 value: "644" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 644 $proxykubeconfig 54 scored: false 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: false 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 70 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 71 tests: 72 test_items: 73 - flag: "permissions" 74 compare: 75 op: bitmask 76 value: "644" 77 remediation: | 78 Run the below command (based on the file location on your system) on the each worker node. 79 For example, 80 chmod 644 $kubeletkubeconfig 81 scored: true 82 83 - id: 4.1.6 84 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)" 85 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 86 tests: 87 test_items: 88 - flag: root:root 89 remediation: | 90 Run the below command (based on the file location on your system) on the each worker node. 91 For example, 92 chown root:root $kubeletkubeconfig 93 scored: false 94 95 - id: 4.1.7 96 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" 97 audit: | 98 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 99 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 100 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 101 tests: 102 test_items: 103 - flag: "permissions" 104 compare: 105 op: bitmask 106 value: "644" 107 remediation: | 108 Run the following command to modify the file permissions of the 109 --client-ca-file chmod 644 <filename> 110 scored: false 111 112 - id: 4.1.8 113 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 114 audit: | 115 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 116 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 117 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 118 tests: 119 test_items: 120 - flag: root:root 121 compare: 122 op: eq 123 value: root:root 124 remediation: | 125 Run the following command to modify the ownership of the --client-ca-file. 126 chown root:root <filename> 127 scored: false 128 129 - id: 4.1.9 130 text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)" 131 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 132 tests: 133 test_items: 134 - flag: "permissions" 135 compare: 136 op: bitmask 137 value: "644" 138 remediation: | 139 Run the following command (using the config file location identified in the Audit step) 140 chmod 644 $kubeletconf 141 scored: true 142 143 - id: 4.1.10 144 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 145 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 146 tests: 147 test_items: 148 - flag: root:root 149 remediation: | 150 Run the following command (using the config file location identified in the Audit step) 151 chown root:root $kubeletconf 152 scored: true 153 154 - id: 4.2 155 text: "Kubelet" 156 checks: 157 - id: 4.2.1 158 text: "Ensure that the anonymous-auth argument is set to false (Automated)" 159 audit: "/bin/ps -fC $kubeletbin" 160 audit_config: "/bin/cat $kubeletconf" 161 tests: 162 test_items: 163 - flag: "--anonymous-auth" 164 path: '{.authentication.anonymous.enabled}' 165 compare: 166 op: eq 167 value: false 168 remediation: | 169 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 170 false. 171 If using executable arguments, edit the kubelet service file 172 $kubeletsvc on each worker node and 173 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 174 --anonymous-auth=false 175 Based on your system, restart the kubelet service. For example: 176 systemctl daemon-reload 177 systemctl restart kubelet.service 178 scored: true 179 180 - id: 4.2.2 181 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 182 audit: "/bin/ps -fC $kubeletbin" 183 audit_config: "/bin/cat $kubeletconf" 184 tests: 185 test_items: 186 - flag: --authorization-mode 187 path: '{.authorization.mode}' 188 compare: 189 op: nothave 190 value: AlwaysAllow 191 remediation: | 192 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 193 using executable arguments, edit the kubelet service file 194 $kubeletsvc on each worker node and 195 set the below parameter in KUBELET_AUTHZ_ARGS variable. 196 --authorization-mode=Webhook 197 Based on your system, restart the kubelet service. For example: 198 systemctl daemon-reload 199 systemctl restart kubelet.service 200 scored: true 201 202 - id: 4.2.3 203 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 204 audit: "/bin/ps -fC $kubeletbin" 205 audit_config: "/bin/cat $kubeletconf" 206 tests: 207 test_items: 208 - flag: --client-ca-file 209 path: '{.authentication.x509.clientCAFile}' 210 remediation: | 211 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 212 the location of the client CA file. 213 If using command line arguments, edit the kubelet service file 214 $kubeletsvc on each worker node and 215 set the below parameter in KUBELET_AUTHZ_ARGS variable. 216 --client-ca-file=<path/to/client-ca-file> 217 Based on your system, restart the kubelet service. For example: 218 systemctl daemon-reload 219 systemctl restart kubelet.service 220 scored: true 221 222 - id: 4.2.4 223 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 224 audit: "/bin/ps -fC $kubeletbin" 225 audit_config: "/bin/cat $kubeletconf" 226 tests: 227 bin_op: or 228 test_items: 229 - flag: "--read-only-port" 230 path: '{.readOnlyPort}' 231 compare: 232 op: eq 233 value: 0 234 - flag: "--read-only-port" 235 path: '{.readOnlyPort}' 236 set: false 237 remediation: | 238 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 239 If using command line arguments, edit the kubelet service file 240 $kubeletsvc on each worker node and 241 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 242 --read-only-port=0 243 Based on your system, restart the kubelet service. For example: 244 systemctl daemon-reload 245 systemctl restart kubelet.service 246 scored: false 247 248 - id: 4.2.5 249 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 250 audit: "/bin/ps -fC $kubeletbin" 251 audit_config: "/bin/cat $kubeletconf" 252 tests: 253 test_items: 254 - flag: --streaming-connection-idle-timeout 255 path: '{.streamingConnectionIdleTimeout}' 256 compare: 257 op: noteq 258 value: 0 259 - flag: --streaming-connection-idle-timeout 260 path: '{.streamingConnectionIdleTimeout}' 261 set: false 262 bin_op: or 263 remediation: | 264 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 265 value other than 0. 266 If using command line arguments, edit the kubelet service file 267 $kubeletsvc on each worker node and 268 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 269 --streaming-connection-idle-timeout=5m 270 Based on your system, restart the kubelet service. For example: 271 systemctl daemon-reload 272 systemctl restart kubelet.service 273 scored: false 274 275 - id: 4.2.6 276 text: "Ensure that the --protect-kernel-defaults argument is set to true (Manual)" 277 audit: "/bin/ps -fC $kubeletbin" 278 audit_config: "/bin/cat $kubeletconf" 279 tests: 280 test_items: 281 - flag: --protect-kernel-defaults 282 path: '{.protectKernelDefaults}' 283 compare: 284 op: eq 285 value: true 286 remediation: | 287 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 288 If using command line arguments, edit the kubelet service file 289 $kubeletsvc on each worker node and 290 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 291 --protect-kernel-defaults=true 292 Based on your system, restart the kubelet service. For example: 293 systemctl daemon-reload 294 systemctl restart kubelet.service 295 scored: false 296 297 - id: 4.2.7 298 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 299 audit: "/bin/ps -fC $kubeletbin" 300 audit_config: "/bin/cat $kubeletconf" 301 tests: 302 test_items: 303 - flag: --make-iptables-util-chains 304 path: '{.makeIPTablesUtilChains}' 305 compare: 306 op: eq 307 value: true 308 - flag: --make-iptables-util-chains 309 path: '{.makeIPTablesUtilChains}' 310 set: false 311 bin_op: or 312 remediation: | 313 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 314 If using command line arguments, edit the kubelet service file 315 $kubeletsvc on each worker node and 316 remove the --make-iptables-util-chains argument from the 317 KUBELET_SYSTEM_PODS_ARGS variable. 318 Based on your system, restart the kubelet service. For example: 319 systemctl daemon-reload 320 systemctl restart kubelet.service 321 scored: true 322 323 - id: 4.2.8 324 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 325 audit: "/bin/ps -fC $kubeletbin" 326 audit_config: "/bin/cat $kubeletconf" 327 tests: 328 test_items: 329 - flag: --event-qps 330 path: '{.eventRecordQPS}' 331 compare: 332 op: eq 333 value: 0 334 remediation: | 335 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 336 If using command line arguments, edit the kubelet service file 337 $kubeletsvc on each worker node and 338 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 339 Based on your system, restart the kubelet service. For example: 340 systemctl daemon-reload 341 systemctl restart kubelet.service 342 scored: false 343 344 - id: 4.2.9 345 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 346 audit: "/bin/ps -fC $kubeletbin" 347 audit_config: "/bin/cat $kubeletconf" 348 tests: 349 test_items: 350 - flag: --tls-cert-file 351 path: '{.tlsCertFile}' 352 - flag: --tls-private-key-file 353 path: '{.tlsPrivateKeyFile}' 354 remediation: | 355 If using a Kubelet config file, edit the file to set tlsCertFile to the location 356 of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile 357 to the location of the corresponding private key file. 358 If using command line arguments, edit the kubelet service file 359 $kubeletsvc on each worker node and 360 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 361 --tls-cert-file=<path/to/tls-certificate-file> 362 --tls-private-key-file=<path/to/tls-key-file> 363 Based on your system, restart the kubelet service. For example: 364 systemctl daemon-reload 365 systemctl restart kubelet.service 366 scored: false 367 368 - id: 4.2.10 369 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 370 audit: "/bin/ps -fC $kubeletbin" 371 audit_config: "/bin/cat $kubeletconf" 372 tests: 373 test_items: 374 - flag: --tls-cipher-suites 375 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 376 compare: 377 op: valid_elements 378 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 379 remediation: | 380 If using a Kubelet config file, edit the file to set TLSCipherSuites: to 381 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 382 or to a subset of these values. 383 If using executable arguments, edit the kubelet service file 384 $kubeletsvc on each worker node and 385 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 386 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 387 Based on your system, restart the kubelet service. For example: 388 systemctl daemon-reload 389 systemctl restart kubelet.service 390 scored: false