github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.20/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.20" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, 23 chmod 644 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 29 tests: 30 bin_op: or 31 test_items: 32 - flag: root:root 33 - flag: "File not found" 34 remediation: | 35 Run the below command (based on the file location on your system) on the each worker node. 36 For example, 37 chown root:root $kubeletsvc 38 scored: true 39 40 - id: 4.1.3 41 text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)" 42 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 43 tests: 44 bin_op: or 45 test_items: 46 - flag: "permissions" 47 set: true 48 compare: 49 op: bitmask 50 value: "644" 51 remediation: | 52 Run the below command (based on the file location on your system) on the each worker node. 53 For example, 54 chmod 644 $proxykubeconfig 55 scored: false 56 57 - id: 4.1.4 58 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 59 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 60 tests: 61 bin_op: or 62 test_items: 63 - flag: root:root 64 remediation: | 65 Run the below command (based on the file location on your system) on the each worker node. 66 For example, chown root:root $proxykubeconfig 67 scored: false 68 69 - id: 4.1.5 70 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 71 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 72 tests: 73 test_items: 74 - flag: "permissions" 75 compare: 76 op: bitmask 77 value: "644" 78 remediation: | 79 Run the below command (based on the file location on your system) on the each worker node. 80 For example, 81 chmod 644 $kubeletkubeconfig 82 scored: true 83 84 - id: 4.1.6 85 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 86 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 87 tests: 88 test_items: 89 - flag: root:root 90 remediation: | 91 Run the below command (based on the file location on your system) on the each worker node. 92 For example, 93 chown root:root $kubeletkubeconfig 94 scored: true 95 96 - id: 4.1.7 97 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" 98 audit: | 99 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 100 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 101 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 102 tests: 103 test_items: 104 - flag: "permissions" 105 compare: 106 op: bitmask 107 value: "644" 108 remediation: | 109 Run the following command to modify the file permissions of the 110 --client-ca-file chmod 644 <filename> 111 scored: false 112 113 - id: 4.1.8 114 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 115 audit: | 116 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 117 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 118 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 119 tests: 120 test_items: 121 - flag: root:root 122 compare: 123 op: eq 124 value: root:root 125 remediation: | 126 Run the following command to modify the ownership of the --client-ca-file. 127 chown root:root <filename> 128 scored: false 129 130 - id: 4.1.9 131 text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)" 132 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 133 tests: 134 test_items: 135 - flag: "permissions" 136 compare: 137 op: bitmask 138 value: "644" 139 remediation: | 140 Run the following command (using the config file location identified in the Audit step) 141 chmod 644 $kubeletconf 142 scored: true 143 144 - id: 4.1.10 145 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 146 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 147 tests: 148 test_items: 149 - flag: root:root 150 remediation: | 151 Run the following command (using the config file location identified in the Audit step) 152 chown root:root $kubeletconf 153 scored: true 154 155 - id: 4.2 156 text: "Kubelet" 157 checks: 158 - id: 4.2.1 159 text: "Ensure that the anonymous-auth argument is set to false (Automated)" 160 audit: "/bin/ps -fC $kubeletbin" 161 audit_config: "/bin/cat $kubeletconf" 162 tests: 163 test_items: 164 - flag: "--anonymous-auth" 165 path: '{.authentication.anonymous.enabled}' 166 compare: 167 op: eq 168 value: false 169 remediation: | 170 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 171 false. 172 If using executable arguments, edit the kubelet service file 173 $kubeletsvc on each worker node and 174 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 175 --anonymous-auth=false 176 Based on your system, restart the kubelet service. For example: 177 systemctl daemon-reload 178 systemctl restart kubelet.service 179 scored: true 180 181 - id: 4.2.2 182 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 183 audit: "/bin/ps -fC $kubeletbin" 184 audit_config: "/bin/cat $kubeletconf" 185 tests: 186 test_items: 187 - flag: --authorization-mode 188 path: '{.authorization.mode}' 189 compare: 190 op: nothave 191 value: AlwaysAllow 192 remediation: | 193 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 194 using executable arguments, edit the kubelet service file 195 $kubeletsvc on each worker node and 196 set the below parameter in KUBELET_AUTHZ_ARGS variable. 197 --authorization-mode=Webhook 198 Based on your system, restart the kubelet service. For example: 199 systemctl daemon-reload 200 systemctl restart kubelet.service 201 scored: true 202 203 - id: 4.2.3 204 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 205 audit: "/bin/ps -fC $kubeletbin" 206 audit_config: "/bin/cat $kubeletconf" 207 tests: 208 test_items: 209 - flag: --client-ca-file 210 path: '{.authentication.x509.clientCAFile}' 211 remediation: | 212 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 213 the location of the client CA file. 214 If using command line arguments, edit the kubelet service file 215 $kubeletsvc on each worker node and 216 set the below parameter in KUBELET_AUTHZ_ARGS variable. 217 --client-ca-file=<path/to/client-ca-file> 218 Based on your system, restart the kubelet service. For example: 219 systemctl daemon-reload 220 systemctl restart kubelet.service 221 scored: true 222 223 - id: 4.2.4 224 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 225 audit: "/bin/ps -fC $kubeletbin" 226 audit_config: "/bin/cat $kubeletconf" 227 tests: 228 bin_op: or 229 test_items: 230 - flag: "--read-only-port" 231 path: '{.readOnlyPort}' 232 compare: 233 op: eq 234 value: 0 235 - flag: "--read-only-port" 236 path: '{.readOnlyPort}' 237 set: false 238 remediation: | 239 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 240 If using command line arguments, edit the kubelet service file 241 $kubeletsvc on each worker node and 242 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 243 --read-only-port=0 244 Based on your system, restart the kubelet service. For example: 245 systemctl daemon-reload 246 systemctl restart kubelet.service 247 scored: false 248 249 - id: 4.2.5 250 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 251 audit: "/bin/ps -fC $kubeletbin" 252 audit_config: "/bin/cat $kubeletconf" 253 tests: 254 test_items: 255 - flag: --streaming-connection-idle-timeout 256 path: '{.streamingConnectionIdleTimeout}' 257 compare: 258 op: noteq 259 value: 0 260 - flag: --streaming-connection-idle-timeout 261 path: '{.streamingConnectionIdleTimeout}' 262 set: false 263 bin_op: or 264 remediation: | 265 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 266 value other than 0. 267 If using command line arguments, edit the kubelet service file 268 $kubeletsvc on each worker node and 269 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 270 --streaming-connection-idle-timeout=5m 271 Based on your system, restart the kubelet service. For example: 272 systemctl daemon-reload 273 systemctl restart kubelet.service 274 scored: false 275 276 - id: 4.2.6 277 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 278 audit: "/bin/ps -fC $kubeletbin" 279 audit_config: "/bin/cat $kubeletconf" 280 tests: 281 test_items: 282 - flag: --protect-kernel-defaults 283 path: '{.protectKernelDefaults}' 284 compare: 285 op: eq 286 value: true 287 remediation: | 288 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 289 If using command line arguments, edit the kubelet service file 290 $kubeletsvc on each worker node and 291 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 292 --protect-kernel-defaults=true 293 Based on your system, restart the kubelet service. For example: 294 systemctl daemon-reload 295 systemctl restart kubelet.service 296 scored: true 297 298 - id: 4.2.7 299 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 300 audit: "/bin/ps -fC $kubeletbin" 301 audit_config: "/bin/cat $kubeletconf" 302 tests: 303 test_items: 304 - flag: --make-iptables-util-chains 305 path: '{.makeIPTablesUtilChains}' 306 compare: 307 op: eq 308 value: true 309 - flag: --make-iptables-util-chains 310 path: '{.makeIPTablesUtilChains}' 311 set: false 312 bin_op: or 313 remediation: | 314 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 315 If using command line arguments, edit the kubelet service file 316 $kubeletsvc on each worker node and 317 remove the --make-iptables-util-chains argument from the 318 KUBELET_SYSTEM_PODS_ARGS variable. 319 Based on your system, restart the kubelet service. For example: 320 systemctl daemon-reload 321 systemctl restart kubelet.service 322 scored: true 323 324 - id: 4.2.8 325 text: "Ensure that the --hostname-override argument is not set (Manual)" 326 # This is one of those properties that can only be set as a command line argument. 327 # To check if the property is set as expected, we need to parse the kubelet command 328 # instead reading the Kubelet Configuration file. 329 audit: "/bin/ps -fC $kubeletbin " 330 tests: 331 test_items: 332 - flag: --hostname-override 333 set: false 334 remediation: | 335 Edit the kubelet service file $kubeletsvc 336 on each worker node and remove the --hostname-override argument from the 337 KUBELET_SYSTEM_PODS_ARGS variable. 338 Based on your system, restart the kubelet service. For example: 339 systemctl daemon-reload 340 systemctl restart kubelet.service 341 scored: false 342 343 - id: 4.2.9 344 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 345 audit: "/bin/ps -fC $kubeletbin" 346 audit_config: "/bin/cat $kubeletconf" 347 tests: 348 test_items: 349 - flag: --event-qps 350 path: '{.eventRecordQPS}' 351 compare: 352 op: eq 353 value: 0 354 remediation: | 355 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 356 If using command line arguments, edit the kubelet service file 357 $kubeletsvc on each worker node and 358 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 359 Based on your system, restart the kubelet service. For example: 360 systemctl daemon-reload 361 systemctl restart kubelet.service 362 scored: false 363 364 - id: 4.2.10 365 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 366 audit: "/bin/ps -fC $kubeletbin" 367 audit_config: "/bin/cat $kubeletconf" 368 tests: 369 test_items: 370 - flag: --tls-cert-file 371 path: '{.tlsCertFile}' 372 - flag: --tls-private-key-file 373 path: '{.tlsPrivateKeyFile}' 374 remediation: | 375 If using a Kubelet config file, edit the file to set tlsCertFile to the location 376 of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile 377 to the location of the corresponding private key file. 378 If using command line arguments, edit the kubelet service file 379 $kubeletsvc on each worker node and 380 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 381 --tls-cert-file=<path/to/tls-certificate-file> 382 --tls-private-key-file=<path/to/tls-key-file> 383 Based on your system, restart the kubelet service. For example: 384 systemctl daemon-reload 385 systemctl restart kubelet.service 386 scored: false 387 388 - id: 4.2.11 389 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 390 audit: "/bin/ps -fC $kubeletbin" 391 audit_config: "/bin/cat $kubeletconf" 392 tests: 393 test_items: 394 - flag: --rotate-certificates 395 path: '{.rotateCertificates}' 396 compare: 397 op: eq 398 value: true 399 - flag: --rotate-certificates 400 path: '{.rotateCertificates}' 401 set: false 402 bin_op: or 403 remediation: | 404 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 405 remove it altogether to use the default value. 406 If using command line arguments, edit the kubelet service file 407 $kubeletsvc on each worker node and 408 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 409 variable. 410 Based on your system, restart the kubelet service. For example: 411 systemctl daemon-reload 412 systemctl restart kubelet.service 413 scored: true 414 415 - id: 4.2.12 416 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 417 audit: "/bin/ps -fC $kubeletbin" 418 audit_config: "/bin/cat $kubeletconf" 419 tests: 420 bin_op: or 421 test_items: 422 - flag: RotateKubeletServerCertificate 423 path: '{.featureGates.RotateKubeletServerCertificate}' 424 compare: 425 op: nothave 426 value: false 427 - flag: RotateKubeletServerCertificate 428 path: '{.featureGates.RotateKubeletServerCertificate}' 429 set: false 430 remediation: | 431 Edit the kubelet service file $kubeletsvc 432 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 433 --feature-gates=RotateKubeletServerCertificate=true 434 Based on your system, restart the kubelet service. For example: 435 systemctl daemon-reload 436 systemctl restart kubelet.service 437 scored: false 438 439 - id: 4.2.13 440 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 441 audit: "/bin/ps -fC $kubeletbin" 442 audit_config: "/bin/cat $kubeletconf" 443 tests: 444 test_items: 445 - flag: --tls-cipher-suites 446 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 447 compare: 448 op: valid_elements 449 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 450 remediation: | 451 If using a Kubelet config file, edit the file to set TLSCipherSuites: to 452 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 453 or to a subset of these values. 454 If using executable arguments, edit the kubelet service file 455 $kubeletsvc on each worker node and 456 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 457 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 458 Based on your system, restart the kubelet service. For example: 459 systemctl daemon-reload 460 systemctl restart kubelet.service 461 scored: false