github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.24-microk8s/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.24" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi' " 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "600" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, chmod 600 $kubeletsvc 23 scored: true 24 25 - id: 4.1.2 26 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 27 audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi' " 28 tests: 29 test_items: 30 - flag: root:root 31 remediation: | 32 Run the below command (based on the file location on your system) on the each worker node. 33 For example, 34 chown root:root $kubeletsvc 35 scored: true 36 37 - id: 4.1.3 38 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 39 audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi' " 40 tests: 41 bin_op: or 42 test_items: 43 - flag: "permissions" 44 set: true 45 compare: 46 op: bitmask 47 value: "600" 48 remediation: | 49 Run the below command (based on the file location on your system) on the each worker node. 50 For example, 51 chmod 600 $proxykubeconfig 52 scored: false 53 54 - id: 4.1.4 55 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 56 audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi' " 57 tests: 58 bin_op: or 59 test_items: 60 - flag: root:root 61 remediation: | 62 Run the below command (based on the file location on your system) on the each worker node. 63 For example, chown root:root $proxykubeconfig 64 scored: false 65 66 - id: 4.1.5 67 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 68 audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi' " 69 tests: 70 test_items: 71 - flag: "permissions" 72 compare: 73 op: bitmask 74 value: "600" 75 remediation: | 76 Run the below command (based on the file location on your system) on the each worker node. 77 For example, 78 chmod 600 $kubeletkubeconfig 79 scored: true 80 81 - id: 4.1.6 82 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 83 audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi' " 84 tests: 85 test_items: 86 - flag: root:root 87 remediation: | 88 Run the below command (based on the file location on your system) on the each worker node. 89 For example, 90 chown root:root $kubeletkubeconfig 91 scored: true 92 93 - id: 4.1.7 94 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 95 audit: | 96 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') 97 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 98 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 99 tests: 100 test_items: 101 - flag: "permissions" 102 compare: 103 op: bitmask 104 value: "600" 105 remediation: | 106 Run the following command to modify the file permissions of the 107 --client-ca-file chmod 600 <filename> 108 scored: false 109 110 - id: 4.1.8 111 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 112 audit: | 113 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') 114 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 115 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 116 tests: 117 test_items: 118 - flag: root:root 119 compare: 120 op: eq 121 value: root:root 122 remediation: | 123 Run the following command to modify the ownership of the --client-ca-file. 124 chown root:root <filename> 125 scored: false 126 127 - id: 4.1.9 128 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)" 129 audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi' " 130 tests: 131 test_items: 132 - flag: "permissions" 133 compare: 134 op: bitmask 135 value: "600" 136 remediation: | 137 Run the following command (using the config file location identified in the Audit step) 138 chmod 600 $kubeletconf 139 scored: false 140 141 - id: 4.1.10 142 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)" 143 audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi' " 144 tests: 145 test_items: 146 - flag: root:root 147 remediation: | 148 Run the following command (using the config file location identified in the Audit step) 149 chown root:root $kubeletconf 150 scored: false 151 152 - id: 4.2 153 text: "Kubelet" 154 checks: 155 - id: 4.2.1 156 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 157 audit: "cat $kubeletconf" 158 audit_config: "/bin/cat $kubeletconf" 159 tests: 160 test_items: 161 - flag: "--anonymous-auth" 162 path: "{.authentication.anonymous.enabled}" 163 compare: 164 op: eq 165 value: false 166 remediation: | 167 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 168 `false`. 169 If using executable arguments, edit the kubelet service file 170 $kubeletsvc on each worker node and 171 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 172 `--anonymous-auth=false` 173 Based on your system, restart the kubelet service. For example, 174 systemctl daemon-reload 175 systemctl restart kubelet.service 176 scored: true 177 178 - id: 4.2.2 179 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 180 audit: "cat $kubeletconf" 181 audit_config: "/bin/cat $kubeletconf" 182 tests: 183 test_items: 184 - flag: --authorization-mode 185 path: "{.authorization.mode}" 186 compare: 187 op: nothave 188 value: AlwaysAllow 189 remediation: | 190 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 191 using executable arguments, edit the kubelet service file 192 $kubeletsvc on each worker node and 193 set the below parameter in KUBELET_AUTHZ_ARGS variable. 194 --authorization-mode=Webhook 195 Based on your system, restart the kubelet service. For example, 196 systemctl daemon-reload 197 systemctl restart kubelet.service 198 scored: true 199 200 - id: 4.2.3 201 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 202 audit: "cat $kubeletconf" 203 audit_config: "/bin/cat $kubeletconf" 204 tests: 205 test_items: 206 - flag: --client-ca-file 207 path: "{.authentication.x509.clientCAFile}" 208 remediation: | 209 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 210 the location of the client CA file. 211 If using command line arguments, edit the kubelet service file 212 $kubeletsvc on each worker node and 213 set the below parameter in KUBELET_AUTHZ_ARGS variable. 214 --client-ca-file=<path/to/client-ca-file> 215 Based on your system, restart the kubelet service. For example, 216 systemctl daemon-reload 217 systemctl restart kubelet.service 218 scored: true 219 220 - id: 4.2.4 221 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 222 audit: "cat $kubeletconf" 223 audit_config: "/bin/cat $kubeletconf" 224 tests: 225 bin_op: or 226 test_items: 227 - flag: "--read-only-port" 228 path: "{.readOnlyPort}" 229 compare: 230 op: eq 231 value: 0 232 - flag: "--read-only-port" 233 path: "{.readOnlyPort}" 234 set: false 235 remediation: | 236 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 237 If using command line arguments, edit the kubelet service file 238 $kubeletsvc on each worker node and 239 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 240 --read-only-port=0 241 Based on your system, restart the kubelet service. For example, 242 systemctl daemon-reload 243 systemctl restart kubelet.service 244 scored: false 245 246 - id: 4.2.5 247 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 248 audit: "cat $kubeletconf" 249 audit_config: "/bin/cat $kubeletconf" 250 tests: 251 test_items: 252 - flag: --streaming-connection-idle-timeout 253 path: "{.streamingConnectionIdleTimeout}" 254 compare: 255 op: noteq 256 value: 0 257 - flag: --streaming-connection-idle-timeout 258 path: "{.streamingConnectionIdleTimeout}" 259 set: false 260 bin_op: or 261 remediation: | 262 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 263 value other than 0. 264 If using command line arguments, edit the kubelet service file 265 $kubeletsvc on each worker node and 266 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 267 --streaming-connection-idle-timeout=5m 268 Based on your system, restart the kubelet service. For example, 269 systemctl daemon-reload 270 systemctl restart kubelet.service 271 scored: false 272 273 - id: 4.2.6 274 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 275 audit: "cat $kubeletconf" 276 audit_config: "/bin/cat $kubeletconf" 277 tests: 278 test_items: 279 - flag: --protect-kernel-defaults 280 path: "{.protectKernelDefaults}" 281 compare: 282 op: eq 283 value: true 284 remediation: | 285 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 286 If using command line arguments, edit the kubelet service file 287 $kubeletsvc on each worker node and 288 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 289 --protect-kernel-defaults=true 290 Based on your system, restart the kubelet service. For example: 291 systemctl daemon-reload 292 systemctl restart kubelet.service 293 scored: true 294 295 - id: 4.2.7 296 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 297 audit: "cat $kubeletconf" 298 audit_config: "/bin/cat $kubeletconf" 299 tests: 300 test_items: 301 - flag: --make-iptables-util-chains 302 path: "{.makeIPTablesUtilChains}" 303 compare: 304 op: eq 305 value: true 306 - flag: --make-iptables-util-chains 307 path: "{.makeIPTablesUtilChains}" 308 set: false 309 bin_op: or 310 remediation: | 311 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 312 If using command line arguments, edit the kubelet service file 313 $kubeletsvc on each worker node and 314 remove the --make-iptables-util-chains argument from the 315 KUBELET_SYSTEM_PODS_ARGS variable. 316 Based on your system, restart the kubelet service. For example: 317 systemctl daemon-reload 318 systemctl restart kubelet.service 319 scored: true 320 321 - id: 4.2.8 322 text: "Ensure that the --hostname-override argument is not set (Manual)" 323 # This is one of those properties that can only be set as a command line argument. 324 # To check if the property is set as expected, we need to parse the kubelet command 325 # instead reading the Kubelet Configuration file. 326 audit: "cat $kubeletconf" 327 tests: 328 test_items: 329 - flag: --hostname-override 330 set: false 331 remediation: | 332 Edit the kubelet service file $kubeletsvc 333 on each worker node and remove the --hostname-override argument from the 334 KUBELET_SYSTEM_PODS_ARGS variable. 335 Based on your system, restart the kubelet service. For example, 336 systemctl daemon-reload 337 systemctl restart kubelet.service 338 scored: false 339 340 - id: 4.2.9 341 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 342 audit: "cat $kubeletconf" 343 audit_config: "/bin/cat $kubeletconf" 344 tests: 345 test_items: 346 - flag: --event-qps 347 path: "{.eventRecordQPS}" 348 compare: 349 op: eq 350 value: 0 351 remediation: | 352 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 353 If using command line arguments, edit the kubelet service file 354 $kubeletsvc on each worker node and 355 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 356 Based on your system, restart the kubelet service. For example, 357 systemctl daemon-reload 358 systemctl restart kubelet.service 359 scored: false 360 361 - id: 4.2.10 362 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 363 audit: "cat $kubeletconf" 364 audit_config: "/bin/cat $kubeletconf" 365 tests: 366 test_items: 367 - flag: --tls-cert-file 368 path: "{.tlsCertFile}" 369 - flag: --tls-private-key-file 370 path: "{.tlsPrivateKeyFile}" 371 remediation: | 372 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 373 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 374 to the location of the corresponding private key file. 375 If using command line arguments, edit the kubelet service file 376 $kubeletsvc on each worker node and 377 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 378 --tls-cert-file=<path/to/tls-certificate-file> 379 --tls-private-key-file=<path/to/tls-key-file> 380 Based on your system, restart the kubelet service. For example, 381 systemctl daemon-reload 382 systemctl restart kubelet.service 383 scored: false 384 385 - id: 4.2.11 386 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 387 audit: "cat $kubeletconf" 388 audit_config: "/bin/cat $kubeletconf" 389 tests: 390 test_items: 391 - flag: --rotate-certificates 392 path: "{.rotateCertificates}" 393 compare: 394 op: eq 395 value: true 396 - flag: --rotate-certificates 397 path: "{.rotateCertificates}" 398 set: false 399 bin_op: or 400 remediation: | 401 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 402 remove it altogether to use the default value. 403 If using command line arguments, edit the kubelet service file 404 $kubeletsvc on each worker node and 405 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 406 variable. 407 Based on your system, restart the kubelet service. For example, 408 systemctl daemon-reload 409 systemctl restart kubelet.service 410 scored: true 411 412 - id: 4.2.12 413 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 414 audit: "cat $kubeletconf" 415 audit_config: "/bin/cat $kubeletconf" 416 tests: 417 bin_op: or 418 test_items: 419 - flag: RotateKubeletServerCertificate 420 path: "{.featureGates.RotateKubeletServerCertificate}" 421 compare: 422 op: nothave 423 value: false 424 - flag: RotateKubeletServerCertificate 425 path: "{.featureGates.RotateKubeletServerCertificate}" 426 set: false 427 remediation: | 428 Edit the kubelet service file $kubeletsvc 429 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 430 --feature-gates=RotateKubeletServerCertificate=true 431 Based on your system, restart the kubelet service. For example: 432 systemctl daemon-reload 433 systemctl restart kubelet.service 434 scored: false 435 436 - id: 4.2.13 437 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 438 audit: "cat $kubeletconf" 439 audit_config: "/bin/cat $kubeletconf" 440 tests: 441 test_items: 442 - flag: --tls-cipher-suites 443 path: "{range .tlsCipherSuites[:]}{}{','}{end}" 444 compare: 445 op: valid_elements 446 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 447 remediation: | 448 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 449 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 450 or to a subset of these values. 451 If using executable arguments, edit the kubelet service file 452 $kubeletsvc on each worker node and 453 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 454 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 455 Based on your system, restart the kubelet service. For example: 456 systemctl daemon-reload 457 systemctl restart kubelet.service 458 scored: false