github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.24/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.24" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "600" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, chmod 600 $kubeletsvc 23 scored: true 24 25 - id: 4.1.2 26 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 27 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 28 tests: 29 bin_op: or 30 test_items: 31 - flag: root:root 32 - flag: "File not found" 33 remediation: | 34 Run the below command (based on the file location on your system) on the each worker node. 35 For example, 36 chown root:root $kubeletsvc 37 scored: true 38 39 - id: 4.1.3 40 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 41 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 42 tests: 43 bin_op: or 44 test_items: 45 - flag: "permissions" 46 set: true 47 compare: 48 op: bitmask 49 value: "600" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 600 $proxykubeconfig 54 scored: false 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: false 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 70 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 71 tests: 72 test_items: 73 - flag: "permissions" 74 compare: 75 op: bitmask 76 value: "600" 77 remediation: | 78 Run the below command (based on the file location on your system) on the each worker node. 79 For example, 80 chmod 600 $kubeletkubeconfig 81 scored: true 82 83 - id: 4.1.6 84 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 85 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 86 tests: 87 test_items: 88 - flag: root:root 89 remediation: | 90 Run the below command (based on the file location on your system) on the each worker node. 91 For example, 92 chown root:root $kubeletkubeconfig 93 scored: true 94 95 - id: 4.1.7 96 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 97 audit: | 98 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 99 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 100 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 101 tests: 102 test_items: 103 - flag: "permissions" 104 compare: 105 op: bitmask 106 value: "600" 107 remediation: | 108 Run the following command to modify the file permissions of the 109 --client-ca-file chmod 600 <filename> 110 scored: false 111 112 - id: 4.1.8 113 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 114 audit: | 115 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 116 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 117 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 118 tests: 119 test_items: 120 - flag: root:root 121 compare: 122 op: eq 123 value: root:root 124 remediation: | 125 Run the following command to modify the ownership of the --client-ca-file. 126 chown root:root <filename> 127 scored: false 128 129 - id: 4.1.9 130 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)" 131 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 132 tests: 133 test_items: 134 - flag: "permissions" 135 compare: 136 op: bitmask 137 value: "600" 138 remediation: | 139 Run the following command (using the config file location identified in the Audit step) 140 chmod 600 $kubeletconf 141 scored: false 142 143 - id: 4.1.10 144 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)" 145 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 146 tests: 147 test_items: 148 - flag: root:root 149 remediation: | 150 Run the following command (using the config file location identified in the Audit step) 151 chown root:root $kubeletconf 152 scored: false 153 154 - id: 4.2 155 text: "Kubelet" 156 checks: 157 - id: 4.2.1 158 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 159 audit: "/bin/ps -fC $kubeletbin" 160 audit_config: "/bin/cat $kubeletconf" 161 tests: 162 test_items: 163 - flag: "--anonymous-auth" 164 path: '{.authentication.anonymous.enabled}' 165 compare: 166 op: eq 167 value: false 168 remediation: | 169 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 170 `false`. 171 If using executable arguments, edit the kubelet service file 172 $kubeletsvc on each worker node and 173 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 174 `--anonymous-auth=false` 175 Based on your system, restart the kubelet service. For example, 176 systemctl daemon-reload 177 systemctl restart kubelet.service 178 scored: true 179 180 - id: 4.2.2 181 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 182 audit: "/bin/ps -fC $kubeletbin" 183 audit_config: "/bin/cat $kubeletconf" 184 tests: 185 test_items: 186 - flag: --authorization-mode 187 path: '{.authorization.mode}' 188 compare: 189 op: nothave 190 value: AlwaysAllow 191 remediation: | 192 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 193 using executable arguments, edit the kubelet service file 194 $kubeletsvc on each worker node and 195 set the below parameter in KUBELET_AUTHZ_ARGS variable. 196 --authorization-mode=Webhook 197 Based on your system, restart the kubelet service. For example, 198 systemctl daemon-reload 199 systemctl restart kubelet.service 200 scored: true 201 202 - id: 4.2.3 203 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 204 audit: "/bin/ps -fC $kubeletbin" 205 audit_config: "/bin/cat $kubeletconf" 206 tests: 207 test_items: 208 - flag: --client-ca-file 209 path: '{.authentication.x509.clientCAFile}' 210 remediation: | 211 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 212 the location of the client CA file. 213 If using command line arguments, edit the kubelet service file 214 $kubeletsvc on each worker node and 215 set the below parameter in KUBELET_AUTHZ_ARGS variable. 216 --client-ca-file=<path/to/client-ca-file> 217 Based on your system, restart the kubelet service. For example, 218 systemctl daemon-reload 219 systemctl restart kubelet.service 220 scored: true 221 222 - id: 4.2.4 223 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 224 audit: "/bin/ps -fC $kubeletbin" 225 audit_config: "/bin/cat $kubeletconf" 226 tests: 227 bin_op: or 228 test_items: 229 - flag: "--read-only-port" 230 path: '{.readOnlyPort}' 231 compare: 232 op: eq 233 value: 0 234 - flag: "--read-only-port" 235 path: '{.readOnlyPort}' 236 set: false 237 remediation: | 238 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 239 If using command line arguments, edit the kubelet service file 240 $kubeletsvc on each worker node and 241 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 242 --read-only-port=0 243 Based on your system, restart the kubelet service. For example, 244 systemctl daemon-reload 245 systemctl restart kubelet.service 246 scored: false 247 248 - id: 4.2.5 249 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 250 audit: "/bin/ps -fC $kubeletbin" 251 audit_config: "/bin/cat $kubeletconf" 252 tests: 253 test_items: 254 - flag: --streaming-connection-idle-timeout 255 path: '{.streamingConnectionIdleTimeout}' 256 compare: 257 op: noteq 258 value: 0 259 - flag: --streaming-connection-idle-timeout 260 path: '{.streamingConnectionIdleTimeout}' 261 set: false 262 bin_op: or 263 remediation: | 264 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 265 value other than 0. 266 If using command line arguments, edit the kubelet service file 267 $kubeletsvc on each worker node and 268 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 269 --streaming-connection-idle-timeout=5m 270 Based on your system, restart the kubelet service. For example, 271 systemctl daemon-reload 272 systemctl restart kubelet.service 273 scored: false 274 275 - id: 4.2.6 276 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 277 audit: "/bin/ps -fC $kubeletbin" 278 audit_config: "/bin/cat $kubeletconf" 279 tests: 280 test_items: 281 - flag: --protect-kernel-defaults 282 path: '{.protectKernelDefaults}' 283 compare: 284 op: eq 285 value: true 286 remediation: | 287 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 288 If using command line arguments, edit the kubelet service file 289 $kubeletsvc on each worker node and 290 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 291 --protect-kernel-defaults=true 292 Based on your system, restart the kubelet service. For example: 293 systemctl daemon-reload 294 systemctl restart kubelet.service 295 scored: true 296 297 - id: 4.2.7 298 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 299 audit: "/bin/ps -fC $kubeletbin" 300 audit_config: "/bin/cat $kubeletconf" 301 tests: 302 test_items: 303 - flag: --make-iptables-util-chains 304 path: '{.makeIPTablesUtilChains}' 305 compare: 306 op: eq 307 value: true 308 - flag: --make-iptables-util-chains 309 path: '{.makeIPTablesUtilChains}' 310 set: false 311 bin_op: or 312 remediation: | 313 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 314 If using command line arguments, edit the kubelet service file 315 $kubeletsvc on each worker node and 316 remove the --make-iptables-util-chains argument from the 317 KUBELET_SYSTEM_PODS_ARGS variable. 318 Based on your system, restart the kubelet service. For example: 319 systemctl daemon-reload 320 systemctl restart kubelet.service 321 scored: true 322 323 - id: 4.2.8 324 text: "Ensure that the --hostname-override argument is not set (Manual)" 325 # This is one of those properties that can only be set as a command line argument. 326 # To check if the property is set as expected, we need to parse the kubelet command 327 # instead reading the Kubelet Configuration file. 328 audit: "/bin/ps -fC $kubeletbin " 329 tests: 330 test_items: 331 - flag: --hostname-override 332 set: false 333 remediation: | 334 Edit the kubelet service file $kubeletsvc 335 on each worker node and remove the --hostname-override argument from the 336 KUBELET_SYSTEM_PODS_ARGS variable. 337 Based on your system, restart the kubelet service. For example, 338 systemctl daemon-reload 339 systemctl restart kubelet.service 340 scored: false 341 342 - id: 4.2.9 343 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 344 audit: "/bin/ps -fC $kubeletbin" 345 audit_config: "/bin/cat $kubeletconf" 346 tests: 347 test_items: 348 - flag: --event-qps 349 path: '{.eventRecordQPS}' 350 compare: 351 op: gte 352 value: 0 353 - flag: --event-qps 354 path: '{.eventRecordQPS}' 355 set: false 356 bin_op: or 357 remediation: | 358 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 359 If using command line arguments, edit the kubelet service file 360 $kubeletsvc on each worker node and 361 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 362 Based on your system, restart the kubelet service. For example, 363 systemctl daemon-reload 364 systemctl restart kubelet.service 365 scored: false 366 367 - id: 4.2.10 368 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 369 audit: "/bin/ps -fC $kubeletbin" 370 audit_config: "/bin/cat $kubeletconf" 371 tests: 372 test_items: 373 - flag: --tls-cert-file 374 path: '{.tlsCertFile}' 375 - flag: --tls-private-key-file 376 path: '{.tlsPrivateKeyFile}' 377 remediation: | 378 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 379 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 380 to the location of the corresponding private key file. 381 If using command line arguments, edit the kubelet service file 382 $kubeletsvc on each worker node and 383 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 384 --tls-cert-file=<path/to/tls-certificate-file> 385 --tls-private-key-file=<path/to/tls-key-file> 386 Based on your system, restart the kubelet service. For example, 387 systemctl daemon-reload 388 systemctl restart kubelet.service 389 scored: false 390 391 - id: 4.2.11 392 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 393 audit: "/bin/ps -fC $kubeletbin" 394 audit_config: "/bin/cat $kubeletconf" 395 tests: 396 test_items: 397 - flag: --rotate-certificates 398 path: '{.rotateCertificates}' 399 compare: 400 op: eq 401 value: true 402 - flag: --rotate-certificates 403 path: '{.rotateCertificates}' 404 set: false 405 bin_op: or 406 remediation: | 407 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 408 remove it altogether to use the default value. 409 If using command line arguments, edit the kubelet service file 410 $kubeletsvc on each worker node and 411 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 412 variable. 413 Based on your system, restart the kubelet service. For example, 414 systemctl daemon-reload 415 systemctl restart kubelet.service 416 scored: true 417 418 - id: 4.2.12 419 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 420 audit: "/bin/ps -fC $kubeletbin" 421 audit_config: "/bin/cat $kubeletconf" 422 tests: 423 bin_op: or 424 test_items: 425 - flag: RotateKubeletServerCertificate 426 path: '{.featureGates.RotateKubeletServerCertificate}' 427 compare: 428 op: nothave 429 value: false 430 - flag: RotateKubeletServerCertificate 431 path: '{.featureGates.RotateKubeletServerCertificate}' 432 set: false 433 remediation: | 434 Edit the kubelet service file $kubeletsvc 435 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 436 --feature-gates=RotateKubeletServerCertificate=true 437 Based on your system, restart the kubelet service. For example: 438 systemctl daemon-reload 439 systemctl restart kubelet.service 440 scored: false 441 442 - id: 4.2.13 443 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 444 audit: "/bin/ps -fC $kubeletbin" 445 audit_config: "/bin/cat $kubeletconf" 446 tests: 447 test_items: 448 - flag: --tls-cipher-suites 449 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 450 compare: 451 op: valid_elements 452 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 453 remediation: | 454 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 455 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 456 or to a subset of these values. 457 If using executable arguments, edit the kubelet service file 458 $kubeletsvc on each worker node and 459 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 460 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 461 Based on your system, restart the kubelet service. For example: 462 systemctl daemon-reload 463 systemctl restart kubelet.service 464 scored: false