github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.20/master.yaml (about) 1 --- 2 controls: 3 version: "cis-1.20" 4 id: 1 5 text: "Master Node Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Master Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" 13 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the 22 master node. 23 For example, chmod 644 $apiserverconf 24 scored: true 25 26 - id: 1.1.2 27 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 28 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 29 tests: 30 test_items: 31 - flag: "root:root" 32 remediation: | 33 Run the below command (based on the file location on your system) on the master node. 34 For example, 35 chown root:root $apiserverconf 36 scored: true 37 38 - id: 1.1.3 39 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)" 40 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 41 tests: 42 test_items: 43 - flag: "permissions" 44 compare: 45 op: bitmask 46 value: "644" 47 remediation: | 48 Run the below command (based on the file location on your system) on the master node. 49 For example, 50 chmod 644 $controllermanagerconf 51 scored: true 52 53 - id: 1.1.4 54 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 55 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 56 tests: 57 test_items: 58 - flag: "root:root" 59 remediation: | 60 Run the below command (based on the file location on your system) on the master node. 61 For example, 62 chown root:root $controllermanagerconf 63 scored: true 64 65 - id: 1.1.5 66 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)" 67 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 68 tests: 69 test_items: 70 - flag: "permissions" 71 compare: 72 op: bitmask 73 value: "644" 74 remediation: | 75 Run the below command (based on the file location on your system) on the master node. 76 For example, 77 chmod 644 $schedulerconf 78 scored: true 79 80 - id: 1.1.6 81 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 82 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 83 tests: 84 test_items: 85 - flag: "root:root" 86 remediation: | 87 Run the below command (based on the file location on your system) on the master node. 88 For example, 89 chown root:root $schedulerconf 90 scored: true 91 92 - id: 1.1.7 93 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" 94 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" 95 use_multiple_values: true 96 tests: 97 test_items: 98 - flag: "permissions" 99 compare: 100 op: bitmask 101 value: "644" 102 remediation: | 103 Run the below command (based on the file location on your system) on the master node. 104 For example, 105 chmod 644 $etcdconf 106 scored: true 107 108 - id: 1.1.8 109 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 110 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi'" 111 use_multiple_values: true 112 tests: 113 test_items: 114 - flag: "root:root" 115 remediation: | 116 Run the below command (based on the file location on your system) on the master node. 117 For example, 118 chown root:root $etcdconf 119 scored: true 120 121 - id: 1.1.9 122 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" 123 audit: | 124 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 125 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 126 use_multiple_values: true 127 tests: 128 test_items: 129 - flag: "permissions" 130 compare: 131 op: bitmask 132 value: "644" 133 remediation: | 134 Run the below command (based on the file location on your system) on the master node. 135 For example, 136 chmod 644 <path/to/cni/files> 137 scored: false 138 139 - id: 1.1.10 140 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 141 audit: | 142 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 143 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 144 use_multiple_values: true 145 tests: 146 test_items: 147 - flag: "root:root" 148 remediation: | 149 Run the below command (based on the file location on your system) on the master node. 150 For example, 151 chown root:root <path/to/cni/files> 152 scored: false 153 154 - id: 1.1.11 155 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 156 audit: | 157 DATA_DIR='' 158 for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do 159 if test -d "$d"; then DATA_DIR="$d"; fi 160 done 161 if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi 162 stat -c permissions=%a "$DATA_DIR" 163 tests: 164 test_items: 165 - flag: "permissions" 166 compare: 167 op: bitmask 168 value: "700" 169 remediation: | 170 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 171 from the below command: 172 ps -ef | grep etcd 173 Run the below command (based on the etcd data directory found above). For example, 174 chmod 700 /var/lib/etcd 175 scored: true 176 177 - id: 1.1.12 178 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 179 audit: | 180 DATA_DIR='' 181 for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do 182 if test -d "$d"; then DATA_DIR="$d"; fi 183 done 184 if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi 185 stat -c %U:%G "$DATA_DIR" 186 tests: 187 test_items: 188 - flag: "etcd:etcd" 189 remediation: | 190 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 191 from the below command: 192 ps -ef | grep etcd 193 Run the below command (based on the etcd data directory found above). 194 For example, chown etcd:etcd /var/lib/etcd 195 scored: true 196 197 - id: 1.1.13 198 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)" 199 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" 200 tests: 201 test_items: 202 - flag: "permissions" 203 compare: 204 op: bitmask 205 value: "644" 206 remediation: | 207 Run the below command (based on the file location on your system) on the master node. 208 For example, 209 chmod 644 /etc/kubernetes/admin.conf 210 scored: true 211 212 - id: 1.1.14 213 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 214 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" 215 tests: 216 test_items: 217 - flag: "root:root" 218 remediation: | 219 Run the below command (based on the file location on your system) on the master node. 220 For example, 221 chown root:root /etc/kubernetes/admin.conf 222 scored: true 223 224 - id: 1.1.15 225 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" 226 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 227 tests: 228 test_items: 229 - flag: "permissions" 230 compare: 231 op: bitmask 232 value: "644" 233 remediation: | 234 Run the below command (based on the file location on your system) on the master node. 235 For example, 236 chmod 644 $schedulerkubeconfig 237 scored: true 238 239 - id: 1.1.16 240 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 241 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 242 tests: 243 test_items: 244 - flag: "root:root" 245 remediation: | 246 Run the below command (based on the file location on your system) on the master node. 247 For example, 248 chown root:root $schedulerkubeconfig 249 scored: true 250 251 - id: 1.1.17 252 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" 253 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 254 tests: 255 test_items: 256 - flag: "permissions" 257 compare: 258 op: bitmask 259 value: "644" 260 remediation: | 261 Run the below command (based on the file location on your system) on the master node. 262 For example, 263 chmod 644 $controllermanagerkubeconfig 264 scored: true 265 266 - id: 1.1.18 267 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 268 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 269 tests: 270 test_items: 271 - flag: "root:root" 272 remediation: | 273 Run the below command (based on the file location on your system) on the master node. 274 For example, 275 chown root:root $controllermanagerkubeconfig 276 scored: true 277 278 - id: 1.1.19 279 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 280 audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G" 281 use_multiple_values: true 282 tests: 283 test_items: 284 - flag: "root:root" 285 remediation: | 286 Run the below command (based on the file location on your system) on the master node. 287 For example, 288 chown -R root:root /etc/kubernetes/pki/ 289 scored: true 290 291 - id: 1.1.20 292 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" 293 audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a" 294 use_multiple_values: true 295 tests: 296 test_items: 297 - flag: "permissions" 298 compare: 299 op: bitmask 300 value: "644" 301 remediation: | 302 Run the below command (based on the file location on your system) on the master node. 303 For example, 304 chmod -R 644 /etc/kubernetes/pki/*.crt 305 scored: false 306 307 - id: 1.1.21 308 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 309 audit: "find /etc/kubernetes/pki/ -name '*.key' | xargs stat -c permissions=%a" 310 use_multiple_values: true 311 tests: 312 test_items: 313 - flag: "permissions" 314 compare: 315 op: bitmask 316 value: "600" 317 remediation: | 318 Run the below command (based on the file location on your system) on the master node. 319 For example, 320 chmod -R 600 /etc/kubernetes/pki/*.key 321 scored: false 322 323 - id: 1.2 324 text: "API Server" 325 checks: 326 - id: 1.2.1 327 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 328 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 329 tests: 330 test_items: 331 - flag: "--anonymous-auth" 332 compare: 333 op: eq 334 value: false 335 remediation: | 336 Edit the API server pod specification file $apiserverconf 337 on the master node and set the below parameter. 338 --anonymous-auth=false 339 scored: false 340 341 - id: 1.2.2 342 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 343 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 344 tests: 345 test_items: 346 - flag: "--token-auth-file" 347 set: false 348 remediation: | 349 Follow the documentation and configure alternate mechanisms for authentication. Then, 350 edit the API server pod specification file $apiserverconf 351 on the master node and remove the --token-auth-file=<filename> parameter. 352 scored: true 353 354 - id: 1.2.3 355 text: "Ensure that the --kubelet-https argument is set to true (Automated)" 356 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 357 tests: 358 bin_op: or 359 test_items: 360 - flag: "--kubelet-https" 361 compare: 362 op: eq 363 value: true 364 - flag: "--kubelet-https" 365 set: false 366 remediation: | 367 Edit the API server pod specification file $apiserverconf 368 on the master node and remove the --kubelet-https parameter. 369 scored: true 370 371 - id: 1.2.4 372 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 373 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 374 tests: 375 bin_op: and 376 test_items: 377 - flag: "--kubelet-client-certificate" 378 - flag: "--kubelet-client-key" 379 remediation: | 380 Follow the Kubernetes documentation and set up the TLS connection between the 381 apiserver and kubelets. Then, edit API server pod specification file 382 $apiserverconf on the master node and set the 383 kubelet client certificate and key parameters as below. 384 --kubelet-client-certificate=<path/to/client-certificate-file> 385 --kubelet-client-key=<path/to/client-key-file> 386 scored: true 387 388 - id: 1.2.5 389 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 390 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 391 tests: 392 test_items: 393 - flag: "--kubelet-certificate-authority" 394 remediation: | 395 Follow the Kubernetes documentation and setup the TLS connection between 396 the apiserver and kubelets. Then, edit the API server pod specification file 397 $apiserverconf on the master node and set the 398 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 399 --kubelet-certificate-authority=<ca-string> 400 scored: true 401 402 - id: 1.2.6 403 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 404 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 405 tests: 406 test_items: 407 - flag: "--authorization-mode" 408 compare: 409 op: nothave 410 value: "AlwaysAllow" 411 remediation: | 412 Edit the API server pod specification file $apiserverconf 413 on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. 414 One such example could be as below. 415 --authorization-mode=RBAC 416 scored: true 417 418 - id: 1.2.7 419 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 420 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 421 tests: 422 test_items: 423 - flag: "--authorization-mode" 424 compare: 425 op: has 426 value: "Node" 427 remediation: | 428 Edit the API server pod specification file $apiserverconf 429 on the master node and set the --authorization-mode parameter to a value that includes Node. 430 --authorization-mode=Node,RBAC 431 scored: true 432 433 - id: 1.2.8 434 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 435 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 436 tests: 437 test_items: 438 - flag: "--authorization-mode" 439 compare: 440 op: has 441 value: "RBAC" 442 remediation: | 443 Edit the API server pod specification file $apiserverconf 444 on the master node and set the --authorization-mode parameter to a value that includes RBAC, 445 for example: 446 --authorization-mode=Node,RBAC 447 scored: true 448 449 - id: 1.2.9 450 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 451 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 452 tests: 453 test_items: 454 - flag: "--enable-admission-plugins" 455 compare: 456 op: has 457 value: "EventRateLimit" 458 remediation: | 459 Follow the Kubernetes documentation and set the desired limits in a configuration file. 460 Then, edit the API server pod specification file $apiserverconf 461 and set the below parameters. 462 --enable-admission-plugins=...,EventRateLimit,... 463 --admission-control-config-file=<path/to/configuration/file> 464 scored: false 465 466 - id: 1.2.10 467 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 468 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 469 tests: 470 bin_op: or 471 test_items: 472 - flag: "--enable-admission-plugins" 473 compare: 474 op: nothave 475 value: AlwaysAdmit 476 - flag: "--enable-admission-plugins" 477 set: false 478 remediation: | 479 Edit the API server pod specification file $apiserverconf 480 on the master node and either remove the --enable-admission-plugins parameter, or set it to a 481 value that does not include AlwaysAdmit. 482 scored: true 483 484 - id: 1.2.11 485 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 486 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 487 tests: 488 test_items: 489 - flag: "--enable-admission-plugins" 490 compare: 491 op: has 492 value: "AlwaysPullImages" 493 remediation: | 494 Edit the API server pod specification file $apiserverconf 495 on the master node and set the --enable-admission-plugins parameter to include 496 AlwaysPullImages. 497 --enable-admission-plugins=...,AlwaysPullImages,... 498 scored: false 499 500 - id: 1.2.12 501 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 502 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 503 tests: 504 bin_op: or 505 test_items: 506 - flag: "--enable-admission-plugins" 507 compare: 508 op: has 509 value: "SecurityContextDeny" 510 - flag: "--enable-admission-plugins" 511 compare: 512 op: has 513 value: "PodSecurityPolicy" 514 remediation: | 515 Edit the API server pod specification file $apiserverconf 516 on the master node and set the --enable-admission-plugins parameter to include 517 SecurityContextDeny, unless PodSecurityPolicy is already in place. 518 --enable-admission-plugins=...,SecurityContextDeny,... 519 scored: false 520 521 - id: 1.2.13 522 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 523 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 524 tests: 525 bin_op: or 526 test_items: 527 - flag: "--disable-admission-plugins" 528 compare: 529 op: nothave 530 value: "ServiceAccount" 531 - flag: "--disable-admission-plugins" 532 set: false 533 remediation: | 534 Follow the documentation and create ServiceAccount objects as per your environment. 535 Then, edit the API server pod specification file $apiserverconf 536 on the master node and ensure that the --disable-admission-plugins parameter is set to a 537 value that does not include ServiceAccount. 538 scored: true 539 540 - id: 1.2.14 541 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 542 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 543 tests: 544 bin_op: or 545 test_items: 546 - flag: "--disable-admission-plugins" 547 compare: 548 op: nothave 549 value: "NamespaceLifecycle" 550 - flag: "--disable-admission-plugins" 551 set: false 552 remediation: | 553 Edit the API server pod specification file $apiserverconf 554 on the master node and set the --disable-admission-plugins parameter to 555 ensure it does not include NamespaceLifecycle. 556 scored: true 557 558 - id: 1.2.15 559 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)" 560 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 561 tests: 562 test_items: 563 - flag: "--enable-admission-plugins" 564 compare: 565 op: has 566 value: "PodSecurityPolicy" 567 remediation: | 568 Follow the documentation and create Pod Security Policy objects as per your environment. 569 Then, edit the API server pod specification file $apiserverconf 570 on the master node and set the --enable-admission-plugins parameter to a 571 value that includes PodSecurityPolicy: 572 --enable-admission-plugins=...,PodSecurityPolicy,... 573 Then restart the API Server. 574 scored: true 575 576 - id: 1.2.16 577 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 578 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 579 tests: 580 test_items: 581 - flag: "--enable-admission-plugins" 582 compare: 583 op: has 584 value: "NodeRestriction" 585 remediation: | 586 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 587 Then, edit the API server pod specification file $apiserverconf 588 on the master node and set the --enable-admission-plugins parameter to a 589 value that includes NodeRestriction. 590 --enable-admission-plugins=...,NodeRestriction,... 591 scored: true 592 593 - id: 1.2.17 594 text: "Ensure that the --insecure-bind-address argument is not set (Automated)" 595 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 596 tests: 597 test_items: 598 - flag: "--insecure-bind-address" 599 set: false 600 remediation: | 601 Edit the API server pod specification file $apiserverconf 602 on the master node and remove the --insecure-bind-address parameter. 603 scored: true 604 605 - id: 1.2.18 606 text: "Ensure that the --insecure-port argument is set to 0 (Automated)" 607 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 608 tests: 609 test_items: 610 - flag: "--insecure-port" 611 compare: 612 op: eq 613 value: 0 614 remediation: | 615 Edit the API server pod specification file $apiserverconf 616 on the master node and set the below parameter. 617 --insecure-port=0 618 scored: true 619 620 - id: 1.2.19 621 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 622 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 623 tests: 624 bin_op: or 625 test_items: 626 - flag: "--secure-port" 627 compare: 628 op: gt 629 value: 0 630 - flag: "--secure-port" 631 set: false 632 remediation: | 633 Edit the API server pod specification file $apiserverconf 634 on the master node and either remove the --secure-port parameter or 635 set it to a different (non-zero) desired port. 636 scored: true 637 638 - id: 1.2.20 639 text: "Ensure that the --profiling argument is set to false (Automated)" 640 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 641 tests: 642 test_items: 643 - flag: "--profiling" 644 compare: 645 op: eq 646 value: false 647 remediation: | 648 Edit the API server pod specification file $apiserverconf 649 on the master node and set the below parameter. 650 --profiling=false 651 scored: true 652 653 - id: 1.2.21 654 text: "Ensure that the --audit-log-path argument is set (Automated)" 655 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 656 tests: 657 test_items: 658 - flag: "--audit-log-path" 659 remediation: | 660 Edit the API server pod specification file $apiserverconf 661 on the master node and set the --audit-log-path parameter to a suitable path and 662 file where you would like audit logs to be written, for example: 663 --audit-log-path=/var/log/apiserver/audit.log 664 scored: true 665 666 - id: 1.2.22 667 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 668 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 669 tests: 670 test_items: 671 - flag: "--audit-log-maxage" 672 compare: 673 op: gte 674 value: 30 675 remediation: | 676 Edit the API server pod specification file $apiserverconf 677 on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days: 678 --audit-log-maxage=30 679 scored: true 680 681 - id: 1.2.23 682 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 683 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 684 tests: 685 test_items: 686 - flag: "--audit-log-maxbackup" 687 compare: 688 op: gte 689 value: 10 690 remediation: | 691 Edit the API server pod specification file $apiserverconf 692 on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 693 value. 694 --audit-log-maxbackup=10 695 scored: true 696 697 - id: 1.2.24 698 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 699 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 700 tests: 701 test_items: 702 - flag: "--audit-log-maxsize" 703 compare: 704 op: gte 705 value: 100 706 remediation: | 707 Edit the API server pod specification file $apiserverconf 708 on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB. 709 For example, to set it as 100 MB: 710 --audit-log-maxsize=100 711 scored: true 712 713 - id: 1.2.25 714 text: "Ensure that the --request-timeout argument is set as appropriate (Manual)" 715 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 716 type: manual 717 remediation: | 718 Edit the API server pod specification file $apiserverconf 719 and set the below parameter as appropriate and if needed. 720 For example, 721 --request-timeout=300s 722 scored: false 723 724 - id: 1.2.26 725 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 726 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 727 tests: 728 bin_op: or 729 test_items: 730 - flag: "--service-account-lookup" 731 set: false 732 - flag: "--service-account-lookup" 733 compare: 734 op: eq 735 value: true 736 remediation: | 737 Edit the API server pod specification file $apiserverconf 738 on the master node and set the below parameter. 739 --service-account-lookup=true 740 Alternatively, you can delete the --service-account-lookup parameter from this file so 741 that the default takes effect. 742 scored: true 743 744 - id: 1.2.27 745 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 746 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 747 tests: 748 test_items: 749 - flag: "--service-account-key-file" 750 remediation: | 751 Edit the API server pod specification file $apiserverconf 752 on the master node and set the --service-account-key-file parameter 753 to the public key file for service accounts: 754 --service-account-key-file=<filename> 755 scored: true 756 757 - id: 1.2.28 758 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 759 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 760 tests: 761 bin_op: and 762 test_items: 763 - flag: "--etcd-certfile" 764 - flag: "--etcd-keyfile" 765 remediation: | 766 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 767 Then, edit the API server pod specification file $apiserverconf 768 on the master node and set the etcd certificate and key file parameters. 769 --etcd-certfile=<path/to/client-certificate-file> 770 --etcd-keyfile=<path/to/client-key-file> 771 scored: true 772 773 - id: 1.2.29 774 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 775 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 776 tests: 777 bin_op: and 778 test_items: 779 - flag: "--tls-cert-file" 780 - flag: "--tls-private-key-file" 781 remediation: | 782 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 783 Then, edit the API server pod specification file $apiserverconf 784 on the master node and set the TLS certificate and private key file parameters. 785 --tls-cert-file=<path/to/tls-certificate-file> 786 --tls-private-key-file=<path/to/tls-key-file> 787 scored: true 788 789 - id: 1.2.30 790 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 791 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 792 tests: 793 test_items: 794 - flag: "--client-ca-file" 795 remediation: | 796 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 797 Then, edit the API server pod specification file $apiserverconf 798 on the master node and set the client certificate authority file. 799 --client-ca-file=<path/to/client-ca-file> 800 scored: true 801 802 - id: 1.2.31 803 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 804 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 805 tests: 806 test_items: 807 - flag: "--etcd-cafile" 808 remediation: | 809 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 810 Then, edit the API server pod specification file $apiserverconf 811 on the master node and set the etcd certificate authority file parameter. 812 --etcd-cafile=<path/to/ca-file> 813 scored: true 814 815 - id: 1.2.32 816 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 817 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 818 tests: 819 test_items: 820 - flag: "--encryption-provider-config" 821 remediation: | 822 Follow the Kubernetes documentation and configure a EncryptionConfig file. 823 Then, edit the API server pod specification file $apiserverconf 824 on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File> 825 scored: false 826 827 - id: 1.2.33 828 text: "Ensure that encryption providers are appropriately configured (Manual)" 829 audit: | 830 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 831 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 832 tests: 833 test_items: 834 - flag: "provider" 835 compare: 836 op: valid_elements 837 value: "aescbc,kms,secretbox" 838 remediation: | 839 Follow the Kubernetes documentation and configure a EncryptionConfig file. 840 In this file, choose aescbc, kms or secretbox as the encryption provider. 841 scored: false 842 843 - id: 1.2.34 844 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 845 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 846 tests: 847 test_items: 848 - flag: "--tls-cipher-suites" 849 compare: 850 op: valid_elements 851 value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" 852 remediation: | 853 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 854 on the master node and set the below parameter. 855 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM 856 _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM 857 _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM 858 _SHA384 859 scored: false 860 861 - id: 1.3 862 text: "Controller Manager" 863 checks: 864 - id: 1.3.1 865 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 866 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 867 tests: 868 test_items: 869 - flag: "--terminated-pod-gc-threshold" 870 remediation: | 871 Edit the Controller Manager pod specification file $controllermanagerconf 872 on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, 873 for example: 874 --terminated-pod-gc-threshold=10 875 scored: false 876 877 - id: 1.3.2 878 text: "Ensure that the --profiling argument is set to false (Automated)" 879 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 880 tests: 881 test_items: 882 - flag: "--profiling" 883 compare: 884 op: eq 885 value: false 886 remediation: | 887 Edit the Controller Manager pod specification file $controllermanagerconf 888 on the master node and set the below parameter. 889 --profiling=false 890 scored: true 891 892 - id: 1.3.3 893 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 894 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 895 tests: 896 test_items: 897 - flag: "--use-service-account-credentials" 898 compare: 899 op: noteq 900 value: false 901 remediation: | 902 Edit the Controller Manager pod specification file $controllermanagerconf 903 on the master node to set the below parameter. 904 --use-service-account-credentials=true 905 scored: true 906 907 - id: 1.3.4 908 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 909 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 910 tests: 911 test_items: 912 - flag: "--service-account-private-key-file" 913 remediation: | 914 Edit the Controller Manager pod specification file $controllermanagerconf 915 on the master node and set the --service-account-private-key-file parameter 916 to the private key file for service accounts. 917 --service-account-private-key-file=<filename> 918 scored: true 919 920 - id: 1.3.5 921 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 922 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 923 tests: 924 test_items: 925 - flag: "--root-ca-file" 926 remediation: | 927 Edit the Controller Manager pod specification file $controllermanagerconf 928 on the master node and set the --root-ca-file parameter to the certificate bundle file`. 929 --root-ca-file=<path/to/file> 930 scored: true 931 932 - id: 1.3.6 933 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 934 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 935 tests: 936 bin_op: or 937 test_items: 938 - flag: "--feature-gates" 939 compare: 940 op: nothave 941 value: "RotateKubeletServerCertificate=false" 942 set: true 943 - flag: "--feature-gates" 944 set: false 945 remediation: | 946 Edit the Controller Manager pod specification file $controllermanagerconf 947 on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 948 --feature-gates=RotateKubeletServerCertificate=true 949 scored: true 950 951 - id: 1.3.7 952 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 953 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 954 tests: 955 bin_op: or 956 test_items: 957 - flag: "--bind-address" 958 compare: 959 op: eq 960 value: "127.0.0.1" 961 - flag: "--bind-address" 962 set: false 963 remediation: | 964 Edit the Controller Manager pod specification file $controllermanagerconf 965 on the master node and ensure the correct value for the --bind-address parameter 966 scored: true 967 968 - id: 1.4 969 text: "Scheduler" 970 checks: 971 - id: 1.4.1 972 text: "Ensure that the --profiling argument is set to false (Automated)" 973 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 974 tests: 975 test_items: 976 - flag: "--profiling" 977 compare: 978 op: eq 979 value: false 980 remediation: | 981 Edit the Scheduler pod specification file $schedulerconf file 982 on the master node and set the below parameter. 983 --profiling=false 984 scored: true 985 986 - id: 1.4.2 987 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 988 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 989 tests: 990 bin_op: or 991 test_items: 992 - flag: "--bind-address" 993 compare: 994 op: eq 995 value: "127.0.0.1" 996 - flag: "--bind-address" 997 set: false 998 remediation: | 999 Edit the Scheduler pod specification file $schedulerconf 1000 on the master node and ensure the correct value for the --bind-address parameter 1001 scored: true