github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.23/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.23" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, chmod 644 $kubeletsvc 23 scored: true 24 25 - id: 4.1.2 26 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 27 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 28 tests: 29 bin_op: or 30 test_items: 31 - flag: root:root 32 - flag: "File not found" 33 remediation: | 34 Run the below command (based on the file location on your system) on the each worker node. 35 For example, 36 chown root:root $kubeletsvc 37 scored: true 38 39 - id: 4.1.3 40 text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)" 41 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 42 tests: 43 bin_op: or 44 test_items: 45 - flag: "permissions" 46 set: true 47 compare: 48 op: bitmask 49 value: "644" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 644 $proxykubeconfig 54 scored: false 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: false 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 70 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 71 tests: 72 test_items: 73 - flag: "permissions" 74 compare: 75 op: bitmask 76 value: "644" 77 remediation: | 78 Run the below command (based on the file location on your system) on the each worker node. 79 For example, 80 chmod 644 $kubeletkubeconfig 81 scored: true 82 83 - id: 4.1.6 84 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 85 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 86 tests: 87 test_items: 88 - flag: root:root 89 remediation: | 90 Run the below command (based on the file location on your system) on the each worker node. 91 For example, 92 chown root:root $kubeletkubeconfig 93 scored: true 94 95 - id: 4.1.7 96 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" 97 audit: | 98 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 99 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 100 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 101 tests: 102 test_items: 103 - flag: "permissions" 104 compare: 105 op: bitmask 106 value: "644" 107 remediation: | 108 Run the following command to modify the file permissions of the 109 --client-ca-file chmod 644 <filename> 110 scored: false 111 112 - id: 4.1.8 113 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 114 audit: | 115 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 116 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 117 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 118 tests: 119 test_items: 120 - flag: root:root 121 compare: 122 op: eq 123 value: root:root 124 remediation: | 125 Run the following command to modify the ownership of the --client-ca-file. 126 chown root:root <filename> 127 scored: false 128 129 - id: 4.1.9 130 text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)" 131 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 132 tests: 133 test_items: 134 - flag: "permissions" 135 compare: 136 op: bitmask 137 value: "644" 138 remediation: | 139 Run the following command (using the config file location identified in the Audit step) 140 chmod 644 $kubeletconf 141 scored: true 142 143 - id: 4.1.10 144 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 145 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 146 tests: 147 test_items: 148 - flag: root:root 149 remediation: | 150 Run the following command (using the config file location identified in the Audit step) 151 chown root:root $kubeletconf 152 scored: true 153 154 - id: 4.2 155 text: "Kubelet" 156 checks: 157 - id: 4.2.1 158 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 159 audit: "/bin/ps -fC $kubeletbin" 160 audit_config: "/bin/cat $kubeletconf" 161 tests: 162 test_items: 163 - flag: "--anonymous-auth" 164 path: '{.authentication.anonymous.enabled}' 165 compare: 166 op: eq 167 value: false 168 remediation: | 169 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 170 `false`. 171 If using executable arguments, edit the kubelet service file 172 $kubeletsvc on each worker node and 173 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 174 `--anonymous-auth=false` 175 Based on your system, restart the kubelet service. For example, 176 systemctl daemon-reload 177 systemctl restart kubelet.service 178 scored: true 179 180 - id: 4.2.2 181 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 182 audit: "/bin/ps -fC $kubeletbin" 183 audit_config: "/bin/cat $kubeletconf" 184 tests: 185 test_items: 186 - flag: --authorization-mode 187 path: '{.authorization.mode}' 188 compare: 189 op: nothave 190 value: AlwaysAllow 191 remediation: | 192 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 193 using executable arguments, edit the kubelet service file 194 $kubeletsvc on each worker node and 195 set the below parameter in KUBELET_AUTHZ_ARGS variable. 196 --authorization-mode=Webhook 197 Based on your system, restart the kubelet service. For example, 198 systemctl daemon-reload 199 systemctl restart kubelet.service 200 scored: true 201 202 - id: 4.2.3 203 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 204 audit: "/bin/ps -fC $kubeletbin" 205 audit_config: "/bin/cat $kubeletconf" 206 tests: 207 test_items: 208 - flag: --client-ca-file 209 path: '{.authentication.x509.clientCAFile}' 210 remediation: | 211 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 212 the location of the client CA file. 213 If using command line arguments, edit the kubelet service file 214 $kubeletsvc on each worker node and 215 set the below parameter in KUBELET_AUTHZ_ARGS variable. 216 --client-ca-file=<path/to/client-ca-file> 217 Based on your system, restart the kubelet service. For example, 218 systemctl daemon-reload 219 systemctl restart kubelet.service 220 scored: true 221 222 - id: 4.2.4 223 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 224 audit: "/bin/ps -fC $kubeletbin" 225 audit_config: "/bin/cat $kubeletconf" 226 tests: 227 bin_op: or 228 test_items: 229 - flag: "--read-only-port" 230 path: '{.readOnlyPort}' 231 compare: 232 op: eq 233 value: 0 234 - flag: "--read-only-port" 235 path: '{.readOnlyPort}' 236 set: false 237 remediation: | 238 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 239 If using command line arguments, edit the kubelet service file 240 $kubeletsvc on each worker node and 241 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 242 --read-only-port=0 243 Based on your system, restart the kubelet service. For example, 244 systemctl daemon-reload 245 systemctl restart kubelet.service 246 scored: false 247 248 - id: 4.2.5 249 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 250 audit: "/bin/ps -fC $kubeletbin" 251 audit_config: "/bin/cat $kubeletconf" 252 tests: 253 test_items: 254 - flag: --streaming-connection-idle-timeout 255 path: '{.streamingConnectionIdleTimeout}' 256 compare: 257 op: noteq 258 value: 0 259 - flag: --streaming-connection-idle-timeout 260 path: '{.streamingConnectionIdleTimeout}' 261 set: false 262 bin_op: or 263 remediation: | 264 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 265 value other than 0. 266 If using command line arguments, edit the kubelet service file 267 $kubeletsvc on each worker node and 268 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 269 --streaming-connection-idle-timeout=5m 270 Based on your system, restart the kubelet service. For example, 271 systemctl daemon-reload 272 systemctl restart kubelet.service 273 scored: false 274 275 - id: 4.2.6 276 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 277 audit: "/bin/ps -fC $kubeletbin" 278 audit_config: "/bin/cat $kubeletconf" 279 tests: 280 test_items: 281 - flag: --protect-kernel-defaults 282 path: '{.protectKernelDefaults}' 283 compare: 284 op: eq 285 value: true 286 remediation: | 287 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 288 If using command line arguments, edit the kubelet service file 289 $kubeletsvc on each worker node and 290 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 291 --protect-kernel-defaults=true 292 Based on your system, restart the kubelet service. For example: 293 systemctl daemon-reload 294 systemctl restart kubelet.service 295 scored: true 296 297 - id: 4.2.7 298 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 299 audit: "/bin/ps -fC $kubeletbin" 300 audit_config: "/bin/cat $kubeletconf" 301 tests: 302 test_items: 303 - flag: --make-iptables-util-chains 304 path: '{.makeIPTablesUtilChains}' 305 compare: 306 op: eq 307 value: true 308 - flag: --make-iptables-util-chains 309 path: '{.makeIPTablesUtilChains}' 310 set: false 311 bin_op: or 312 remediation: | 313 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 314 If using command line arguments, edit the kubelet service file 315 $kubeletsvc on each worker node and 316 remove the --make-iptables-util-chains argument from the 317 KUBELET_SYSTEM_PODS_ARGS variable. 318 Based on your system, restart the kubelet service. For example: 319 systemctl daemon-reload 320 systemctl restart kubelet.service 321 scored: true 322 323 - id: 4.2.8 324 text: "Ensure that the --hostname-override argument is not set (Manual)" 325 # This is one of those properties that can only be set as a command line argument. 326 # To check if the property is set as expected, we need to parse the kubelet command 327 # instead reading the Kubelet Configuration file. 328 audit: "/bin/ps -fC $kubeletbin " 329 tests: 330 test_items: 331 - flag: --hostname-override 332 set: false 333 remediation: | 334 Edit the kubelet service file $kubeletsvc 335 on each worker node and remove the --hostname-override argument from the 336 KUBELET_SYSTEM_PODS_ARGS variable. 337 Based on your system, restart the kubelet service. For example, 338 systemctl daemon-reload 339 systemctl restart kubelet.service 340 scored: false 341 342 - id: 4.2.9 343 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 344 audit: "/bin/ps -fC $kubeletbin" 345 audit_config: "/bin/cat $kubeletconf" 346 tests: 347 test_items: 348 - flag: --event-qps 349 path: '{.eventRecordQPS}' 350 compare: 351 op: eq 352 value: 0 353 remediation: | 354 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 355 If using command line arguments, edit the kubelet service file 356 $kubeletsvc on each worker node and 357 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 358 Based on your system, restart the kubelet service. For example, 359 systemctl daemon-reload 360 systemctl restart kubelet.service 361 scored: false 362 363 - id: 4.2.10 364 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 365 audit: "/bin/ps -fC $kubeletbin" 366 audit_config: "/bin/cat $kubeletconf" 367 tests: 368 test_items: 369 - flag: --tls-cert-file 370 path: '{.tlsCertFile}' 371 - flag: --tls-private-key-file 372 path: '{.tlsPrivateKeyFile}' 373 remediation: | 374 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 375 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 376 to the location of the corresponding private key file. 377 If using command line arguments, edit the kubelet service file 378 $kubeletsvc on each worker node and 379 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 380 --tls-cert-file=<path/to/tls-certificate-file> 381 --tls-private-key-file=<path/to/tls-key-file> 382 Based on your system, restart the kubelet service. For example, 383 systemctl daemon-reload 384 systemctl restart kubelet.service 385 scored: false 386 387 - id: 4.2.11 388 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 389 audit: "/bin/ps -fC $kubeletbin" 390 audit_config: "/bin/cat $kubeletconf" 391 tests: 392 test_items: 393 - flag: --rotate-certificates 394 path: '{.rotateCertificates}' 395 compare: 396 op: eq 397 value: true 398 - flag: --rotate-certificates 399 path: '{.rotateCertificates}' 400 set: false 401 bin_op: or 402 remediation: | 403 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 404 remove it altogether to use the default value. 405 If using command line arguments, edit the kubelet service file 406 $kubeletsvc on each worker node and 407 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 408 variable. 409 Based on your system, restart the kubelet service. For example, 410 systemctl daemon-reload 411 systemctl restart kubelet.service 412 scored: true 413 414 - id: 4.2.12 415 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 416 audit: "/bin/ps -fC $kubeletbin" 417 audit_config: "/bin/cat $kubeletconf" 418 tests: 419 bin_op: or 420 test_items: 421 - flag: RotateKubeletServerCertificate 422 path: '{.featureGates.RotateKubeletServerCertificate}' 423 compare: 424 op: nothave 425 value: false 426 - flag: RotateKubeletServerCertificate 427 path: '{.featureGates.RotateKubeletServerCertificate}' 428 set: false 429 remediation: | 430 Edit the kubelet service file $kubeletsvc 431 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 432 --feature-gates=RotateKubeletServerCertificate=true 433 Based on your system, restart the kubelet service. For example: 434 systemctl daemon-reload 435 systemctl restart kubelet.service 436 scored: false 437 438 - id: 4.2.13 439 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 440 audit: "/bin/ps -fC $kubeletbin" 441 audit_config: "/bin/cat $kubeletconf" 442 tests: 443 test_items: 444 - flag: --tls-cipher-suites 445 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 446 compare: 447 op: valid_elements 448 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 449 remediation: | 450 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 451 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 452 or to a subset of these values. 453 If using executable arguments, edit the kubelet service file 454 $kubeletsvc on each worker node and 455 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 456 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 457 Based on your system, restart the kubelet service. For example: 458 systemctl daemon-reload 459 systemctl restart kubelet.service 460 scored: false