github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.5/master.yaml (about) 1 --- 2 controls: 3 version: "cis-1.5" 4 id: 1 5 text: "Master Node Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Master Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" 13 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 set: true 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 master node. 24 For example, chmod 644 $apiserverconf 25 scored: true 26 27 - id: 1.1.2 28 text: "Ensure that the API server pod specification file ownership is set to root:root (Scored)" 29 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 30 tests: 31 test_items: 32 - flag: "root:root" 33 compare: 34 op: eq 35 value: "root:root" 36 set: true 37 remediation: | 38 Run the below command (based on the file location on your system) on the master node. 39 For example, 40 chown root:root $apiserverconf 41 scored: true 42 43 - id: 1.1.3 44 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" 45 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 46 tests: 47 test_items: 48 - flag: "permissions" 49 compare: 50 op: bitmask 51 value: "644" 52 set: true 53 remediation: | 54 Run the below command (based on the file location on your system) on the master node. 55 For example, 56 chmod 644 $controllermanagerconf 57 scored: true 58 59 - id: 1.1.4 60 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" 61 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 62 tests: 63 test_items: 64 - flag: "root:root" 65 compare: 66 op: eq 67 value: "root:root" 68 set: true 69 remediation: | 70 Run the below command (based on the file location on your system) on the master node. 71 For example, 72 chown root:root $controllermanagerconf 73 scored: true 74 75 - id: 1.1.5 76 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" 77 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 78 tests: 79 test_items: 80 - flag: "permissions" 81 compare: 82 op: bitmask 83 value: "644" 84 set: true 85 remediation: | 86 Run the below command (based on the file location on your system) on the master node. 87 For example, 88 chmod 644 $schedulerconf 89 scored: true 90 91 - id: 1.1.6 92 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" 93 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 94 tests: 95 test_items: 96 - flag: "root:root" 97 compare: 98 op: eq 99 value: "root:root" 100 set: true 101 remediation: | 102 Run the below command (based on the file location on your system) on the master node. 103 For example, 104 chown root:root $schedulerconf 105 scored: true 106 107 - id: 1.1.7 108 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" 109 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" 110 tests: 111 test_items: 112 - flag: "permissions" 113 compare: 114 op: bitmask 115 value: "644" 116 set: true 117 remediation: | 118 Run the below command (based on the file location on your system) on the master node. 119 For example, 120 chmod 644 $etcdconf 121 scored: true 122 123 - id: 1.1.8 124 text: "Ensure that the etcd pod specification file ownership is set to root:root (Scored)" 125 audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" 126 tests: 127 test_items: 128 - flag: "root:root" 129 compare: 130 op: eq 131 value: "root:root" 132 set: true 133 remediation: | 134 Run the below command (based on the file location on your system) on the master node. 135 For example, 136 chown root:root $etcdconf 137 scored: true 138 139 - id: 1.1.9 140 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" 141 audit: "stat -c permissions=%a <path/to/cni/files>" 142 type: "manual" 143 remediation: | 144 Run the below command (based on the file location on your system) on the master node. 145 For example, 146 chmod 644 <path/to/cni/files> 147 scored: false 148 149 - id: 1.1.10 150 text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" 151 audit: "stat -c %U:%G <path/to/cni/files>" 152 type: "manual" 153 remediation: | 154 Run the below command (based on the file location on your system) on the master node. 155 For example, 156 chown root:root <path/to/cni/files> 157 scored: false 158 159 - id: 1.1.11 160 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" 161 audit: | 162 DATA_DIR='' 163 for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do 164 if test -d "$d"; then DATA_DIR="$d"; fi 165 done 166 if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi 167 stat -c permissions=%a "$DATA_DIR" 168 tests: 169 test_items: 170 - flag: "permissions" 171 compare: 172 op: bitmask 173 value: "700" 174 set: true 175 remediation: | 176 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 177 from the below command: 178 ps -ef | grep etcd 179 Run the below command (based on the etcd data directory found above). For example, 180 chmod 700 /var/lib/etcd 181 scored: true 182 183 - id: 1.1.12 184 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" 185 audit: | 186 DATA_DIR='' 187 for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do 188 if test -d "$d"; then DATA_DIR="$d"; fi 189 done 190 if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi 191 stat -c %U:%G $DATA_DIR 192 tests: 193 test_items: 194 - flag: "etcd:etcd" 195 set: true 196 remediation: | 197 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 198 from the below command: 199 ps -ef | grep etcd 200 Run the below command (based on the etcd data directory found above). 201 For example, chown etcd:etcd /var/lib/etcd 202 scored: true 203 204 - id: 1.1.13 205 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" 206 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" 207 tests: 208 test_items: 209 - flag: "permissions" 210 compare: 211 op: bitmask 212 value: "644" 213 set: true 214 remediation: | 215 Run the below command (based on the file location on your system) on the master node. 216 For example, 217 chmod 644 /etc/kubernetes/admin.conf 218 scored: true 219 220 - id: 1.1.14 221 text: "Ensure that the admin.conf file ownership is set to root:root (Scored)" 222 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" 223 tests: 224 test_items: 225 - flag: "root:root" 226 compare: 227 op: eq 228 value: "root:root" 229 set: true 230 remediation: | 231 Run the below command (based on the file location on your system) on the master node. 232 For example, 233 chown root:root /etc/kubernetes/admin.conf 234 scored: true 235 236 - id: 1.1.15 237 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" 238 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 239 tests: 240 test_items: 241 - flag: "permissions" 242 compare: 243 op: bitmask 244 value: "644" 245 set: true 246 remediation: | 247 Run the below command (based on the file location on your system) on the master node. 248 For example, 249 chmod 644 $schedulerkubeconfig 250 scored: true 251 252 - id: 1.1.16 253 text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" 254 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 255 tests: 256 test_items: 257 - flag: "root:root" 258 compare: 259 op: eq 260 value: "root:root" 261 set: true 262 remediation: | 263 Run the below command (based on the file location on your system) on the master node. 264 For example, 265 chown root:root $schedulerkubeconfig 266 scored: true 267 268 - id: 1.1.17 269 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" 270 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 271 tests: 272 test_items: 273 - flag: "permissions" 274 compare: 275 op: bitmask 276 value: "644" 277 set: true 278 remediation: | 279 Run the below command (based on the file location on your system) on the master node. 280 For example, 281 chmod 644 $controllermanagerkubeconfig 282 scored: true 283 284 - id: 1.1.18 285 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" 286 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 287 tests: 288 test_items: 289 - flag: "root:root" 290 compare: 291 op: eq 292 value: "root:root" 293 set: true 294 remediation: | 295 Run the below command (based on the file location on your system) on the master node. 296 For example, 297 chown root:root $controllermanagerkubeconfig 298 scored: true 299 300 - id: 1.1.19 301 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)" 302 audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G" 303 use_multiple_values: true 304 tests: 305 test_items: 306 - flag: "root:root" 307 compare: 308 op: eq 309 value: "root:root" 310 set: true 311 remediation: | 312 Run the below command (based on the file location on your system) on the master node. 313 For example, 314 chown -R root:root /etc/kubernetes/pki/ 315 scored: true 316 317 - id: 1.1.20 318 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)" 319 audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a" 320 use_multiple_values: true 321 tests: 322 test_items: 323 - flag: "permissions" 324 compare: 325 op: bitmask 326 value: "644" 327 set: true 328 remediation: | 329 Run the below command (based on the file location on your system) on the master node. 330 For example, 331 chmod -R 644 /etc/kubernetes/pki/*.crt 332 scored: false 333 334 - id: 1.1.21 335 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)" 336 audit: "find /etc/kubernetes/pki/ -name '*.key' | xargs stat -c permissions=%a" 337 use_multiple_values: true 338 tests: 339 test_items: 340 - flag: "permissions" 341 compare: 342 op: bitmask 343 value: "600" 344 set: true 345 remediation: | 346 Run the below command (based on the file location on your system) on the master node. 347 For example, 348 chmod -R 600 /etc/kubernetes/pki/*.key 349 scored: false 350 351 - id: 1.2 352 text: "API Server" 353 checks: 354 - id: 1.2.1 355 text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)" 356 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 357 tests: 358 test_items: 359 - flag: "--anonymous-auth" 360 compare: 361 op: eq 362 value: false 363 set: true 364 remediation: | 365 Edit the API server pod specification file $apiserverconf 366 on the master node and set the below parameter. 367 --anonymous-auth=false 368 scored: false 369 370 - id: 1.2.2 371 text: "Ensure that the --basic-auth-file argument is not set (Scored)" 372 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 373 tests: 374 test_items: 375 - flag: "--basic-auth-file" 376 set: false 377 remediation: | 378 Follow the documentation and configure alternate mechanisms for authentication. Then, 379 edit the API server pod specification file $apiserverconf 380 on the master node and remove the --basic-auth-file=<filename> parameter. 381 scored: true 382 383 - id: 1.2.3 384 text: "Ensure that the --token-auth-file parameter is not set (Scored)" 385 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 386 tests: 387 test_items: 388 - flag: "--token-auth-file" 389 set: false 390 remediation: | 391 Follow the documentation and configure alternate mechanisms for authentication. Then, 392 edit the API server pod specification file $apiserverconf 393 on the master node and remove the --token-auth-file=<filename> parameter. 394 scored: true 395 396 - id: 1.2.4 397 text: "Ensure that the --kubelet-https argument is set to true (Scored)" 398 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 399 tests: 400 bin_op: or 401 test_items: 402 - flag: "--kubelet-https" 403 compare: 404 op: eq 405 value: true 406 set: true 407 - flag: "--kubelet-https" 408 set: false 409 remediation: | 410 Edit the API server pod specification file $apiserverconf 411 on the master node and remove the --kubelet-https parameter. 412 scored: true 413 414 - id: 1.2.5 415 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" 416 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 417 tests: 418 bin_op: and 419 test_items: 420 - flag: "--kubelet-client-certificate" 421 set: true 422 - flag: "--kubelet-client-key" 423 set: true 424 remediation: | 425 Follow the Kubernetes documentation and set up the TLS connection between the 426 apiserver and kubelets. Then, edit API server pod specification file 427 $apiserverconf on the master node and set the 428 kubelet client certificate and key parameters as below. 429 --kubelet-client-certificate=<path/to/client-certificate-file> 430 --kubelet-client-key=<path/to/client-key-file> 431 scored: true 432 433 - id: 1.2.6 434 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" 435 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 436 tests: 437 test_items: 438 - flag: "--kubelet-certificate-authority" 439 set: true 440 remediation: | 441 Follow the Kubernetes documentation and setup the TLS connection between 442 the apiserver and kubelets. Then, edit the API server pod specification file 443 $apiserverconf on the master node and set the 444 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 445 --kubelet-certificate-authority=<ca-string> 446 scored: true 447 448 - id: 1.2.7 449 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" 450 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 451 tests: 452 test_items: 453 - flag: "--authorization-mode" 454 compare: 455 op: nothave 456 value: "AlwaysAllow" 457 set: true 458 remediation: | 459 Edit the API server pod specification file $apiserverconf 460 on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. 461 One such example could be as below. 462 --authorization-mode=RBAC 463 scored: true 464 465 - id: 1.2.8 466 text: "Ensure that the --authorization-mode argument includes Node (Scored)" 467 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 468 tests: 469 test_items: 470 - flag: "--authorization-mode" 471 compare: 472 op: has 473 value: "Node" 474 set: true 475 remediation: | 476 Edit the API server pod specification file $apiserverconf 477 on the master node and set the --authorization-mode parameter to a value that includes Node. 478 --authorization-mode=Node,RBAC 479 scored: true 480 481 - id: 1.2.9 482 text: "Ensure that the --authorization-mode argument includes RBAC (Scored)" 483 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 484 tests: 485 test_items: 486 - flag: "--authorization-mode" 487 compare: 488 op: has 489 value: "RBAC" 490 set: true 491 remediation: | 492 Edit the API server pod specification file $apiserverconf 493 on the master node and set the --authorization-mode parameter to a value that includes RBAC, 494 for example: 495 --authorization-mode=Node,RBAC 496 scored: true 497 498 - id: 1.2.10 499 text: "Ensure that the admission control plugin EventRateLimit is set (Not Scored)" 500 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 501 tests: 502 test_items: 503 - flag: "--enable-admission-plugins" 504 compare: 505 op: has 506 value: "EventRateLimit" 507 set: true 508 remediation: | 509 Follow the Kubernetes documentation and set the desired limits in a configuration file. 510 Then, edit the API server pod specification file $apiserverconf 511 and set the below parameters. 512 --enable-admission-plugins=...,EventRateLimit,... 513 --admission-control-config-file=<path/to/configuration/file> 514 scored: false 515 516 - id: 1.2.11 517 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)" 518 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 519 tests: 520 bin_op: or 521 test_items: 522 - flag: "--enable-admission-plugins" 523 compare: 524 op: nothave 525 value: AlwaysAdmit 526 set: true 527 - flag: "--enable-admission-plugins" 528 set: false 529 remediation: | 530 Edit the API server pod specification file $apiserverconf 531 on the master node and either remove the --enable-admission-plugins parameter, or set it to a 532 value that does not include AlwaysAdmit. 533 scored: true 534 535 - id: 1.2.12 536 text: "Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)" 537 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 538 tests: 539 test_items: 540 - flag: "--enable-admission-plugins" 541 compare: 542 op: has 543 value: "AlwaysPullImages" 544 set: true 545 remediation: | 546 Edit the API server pod specification file $apiserverconf 547 on the master node and set the --enable-admission-plugins parameter to include 548 AlwaysPullImages. 549 --enable-admission-plugins=...,AlwaysPullImages,... 550 scored: false 551 552 - id: 1.2.13 553 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)" 554 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 555 tests: 556 bin_op: or 557 test_items: 558 - flag: "--enable-admission-plugins" 559 compare: 560 op: has 561 value: "SecurityContextDeny" 562 set: true 563 - flag: "--enable-admission-plugins" 564 compare: 565 op: has 566 value: "PodSecurityPolicy" 567 set: true 568 remediation: | 569 Edit the API server pod specification file $apiserverconf 570 on the master node and set the --enable-admission-plugins parameter to include 571 SecurityContextDeny, unless PodSecurityPolicy is already in place. 572 --enable-admission-plugins=...,SecurityContextDeny,... 573 scored: false 574 575 - id: 1.2.14 576 text: "Ensure that the admission control plugin ServiceAccount is set (Scored)" 577 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 578 tests: 579 bin_op: or 580 test_items: 581 - flag: "--disable-admission-plugins" 582 compare: 583 op: nothave 584 value: "ServiceAccount" 585 set: true 586 - flag: "--disable-admission-plugins" 587 set: false 588 remediation: | 589 Follow the documentation and create ServiceAccount objects as per your environment. 590 Then, edit the API server pod specification file $apiserverconf 591 on the master node and ensure that the --disable-admission-plugins parameter is set to a 592 value that does not include ServiceAccount. 593 scored: true 594 595 - id: 1.2.15 596 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" 597 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 598 tests: 599 bin_op: or 600 test_items: 601 - flag: "--disable-admission-plugins" 602 compare: 603 op: nothave 604 value: "NamespaceLifecycle" 605 set: true 606 - flag: "--disable-admission-plugins" 607 set: false 608 remediation: | 609 Edit the API server pod specification file $apiserverconf 610 on the master node and set the --disable-admission-plugins parameter to 611 ensure it does not include NamespaceLifecycle. 612 scored: true 613 614 - id: 1.2.16 615 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" 616 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 617 tests: 618 test_items: 619 - flag: "--enable-admission-plugins" 620 compare: 621 op: has 622 value: "PodSecurityPolicy" 623 set: true 624 remediation: | 625 Follow the documentation and create Pod Security Policy objects as per your environment. 626 Then, edit the API server pod specification file $apiserverconf 627 on the master node and set the --enable-admission-plugins parameter to a 628 value that includes PodSecurityPolicy: 629 --enable-admission-plugins=...,PodSecurityPolicy,... 630 Then restart the API Server. 631 scored: true 632 633 - id: 1.2.17 634 text: "Ensure that the admission control plugin NodeRestriction is set (Scored)" 635 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 636 tests: 637 test_items: 638 - flag: "--enable-admission-plugins" 639 compare: 640 op: has 641 value: "NodeRestriction" 642 set: true 643 remediation: | 644 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 645 Then, edit the API server pod specification file $apiserverconf 646 on the master node and set the --enable-admission-plugins parameter to a 647 value that includes NodeRestriction. 648 --enable-admission-plugins=...,NodeRestriction,... 649 scored: true 650 651 - id: 1.2.18 652 text: "Ensure that the --insecure-bind-address argument is not set (Scored)" 653 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 654 tests: 655 test_items: 656 - flag: "--insecure-bind-address" 657 set: false 658 remediation: | 659 Edit the API server pod specification file $apiserverconf 660 on the master node and remove the --insecure-bind-address parameter. 661 scored: true 662 663 - id: 1.2.19 664 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" 665 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 666 tests: 667 test_items: 668 - flag: "--insecure-port" 669 compare: 670 op: eq 671 value: 0 672 set: true 673 remediation: | 674 Edit the API server pod specification file $apiserverconf 675 on the master node and set the below parameter. 676 --insecure-port=0 677 scored: true 678 679 - id: 1.2.20 680 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" 681 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 682 tests: 683 bin_op: or 684 test_items: 685 - flag: "--secure-port" 686 compare: 687 op: gt 688 value: 0 689 set: true 690 - flag: "--secure-port" 691 set: false 692 remediation: | 693 Edit the API server pod specification file $apiserverconf 694 on the master node and either remove the --secure-port parameter or 695 set it to a different (non-zero) desired port. 696 scored: true 697 698 - id: 1.2.21 699 text: "Ensure that the --profiling argument is set to false (Scored)" 700 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 701 tests: 702 test_items: 703 - flag: "--profiling" 704 compare: 705 op: eq 706 value: false 707 set: true 708 remediation: | 709 Edit the API server pod specification file $apiserverconf 710 on the master node and set the below parameter. 711 --profiling=false 712 scored: true 713 714 - id: 1.2.22 715 text: "Ensure that the --audit-log-path argument is set (Scored)" 716 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 717 tests: 718 test_items: 719 - flag: "--audit-log-path" 720 set: true 721 remediation: | 722 Edit the API server pod specification file $apiserverconf 723 on the master node and set the --audit-log-path parameter to a suitable path and 724 file where you would like audit logs to be written, for example: 725 --audit-log-path=/var/log/apiserver/audit.log 726 scored: true 727 728 - id: 1.2.23 729 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" 730 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 731 tests: 732 test_items: 733 - flag: "--audit-log-maxage" 734 compare: 735 op: gte 736 value: 30 737 set: true 738 remediation: | 739 Edit the API server pod specification file $apiserverconf 740 on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days: 741 --audit-log-maxage=30 742 scored: true 743 744 - id: 1.2.24 745 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" 746 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 747 tests: 748 test_items: 749 - flag: "--audit-log-maxbackup" 750 compare: 751 op: gte 752 value: 10 753 set: true 754 remediation: | 755 Edit the API server pod specification file $apiserverconf 756 on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 757 value. 758 --audit-log-maxbackup=10 759 scored: true 760 761 - id: 1.2.25 762 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" 763 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 764 tests: 765 test_items: 766 - flag: "--audit-log-maxsize" 767 compare: 768 op: gte 769 value: 100 770 set: true 771 remediation: | 772 Edit the API server pod specification file $apiserverconf 773 on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB. 774 For example, to set it as 100 MB: 775 --audit-log-maxsize=100 776 scored: true 777 778 - id: 1.2.26 779 text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" 780 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 781 type: manual 782 remediation: | 783 Edit the API server pod specification file $apiserverconf 784 and set the below parameter as appropriate and if needed. 785 For example, 786 --request-timeout=300s 787 scored: true 788 789 - id: 1.2.27 790 text: "Ensure that the --service-account-lookup argument is set to true (Scored)" 791 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 792 tests: 793 bin_op: or 794 test_items: 795 - flag: "--service-account-lookup" 796 set: false 797 - flag: "--service-account-lookup" 798 compare: 799 op: eq 800 value: true 801 set: true 802 remediation: | 803 Edit the API server pod specification file $apiserverconf 804 on the master node and set the below parameter. 805 --service-account-lookup=true 806 Alternatively, you can delete the --service-account-lookup parameter from this file so 807 that the default takes effect. 808 scored: true 809 810 - id: 1.2.28 811 text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" 812 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 813 tests: 814 test_items: 815 - flag: "--service-account-key-file" 816 set: true 817 remediation: | 818 Edit the API server pod specification file $apiserverconf 819 on the master node and set the --service-account-key-file parameter 820 to the public key file for service accounts: 821 --service-account-key-file=<filename> 822 scored: true 823 824 - id: 1.2.29 825 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" 826 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 827 tests: 828 bin_op: and 829 test_items: 830 - flag: "--etcd-certfile" 831 set: true 832 - flag: "--etcd-keyfile" 833 set: true 834 remediation: | 835 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 836 Then, edit the API server pod specification file $apiserverconf 837 on the master node and set the etcd certificate and key file parameters. 838 --etcd-certfile=<path/to/client-certificate-file> 839 --etcd-keyfile=<path/to/client-key-file> 840 scored: true 841 842 - id: 1.2.30 843 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" 844 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 845 tests: 846 bin_op: and 847 test_items: 848 - flag: "--tls-cert-file" 849 set: true 850 - flag: "--tls-private-key-file" 851 set: true 852 remediation: | 853 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 854 Then, edit the API server pod specification file $apiserverconf 855 on the master node and set the TLS certificate and private key file parameters. 856 --tls-cert-file=<path/to/tls-certificate-file> 857 --tls-private-key-file=<path/to/tls-key-file> 858 scored: true 859 860 - id: 1.2.31 861 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" 862 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 863 tests: 864 test_items: 865 - flag: "--client-ca-file" 866 set: true 867 remediation: | 868 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 869 Then, edit the API server pod specification file $apiserverconf 870 on the master node and set the client certificate authority file. 871 --client-ca-file=<path/to/client-ca-file> 872 scored: true 873 874 - id: 1.2.32 875 text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" 876 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 877 tests: 878 test_items: 879 - flag: "--etcd-cafile" 880 set: true 881 remediation: | 882 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 883 Then, edit the API server pod specification file $apiserverconf 884 on the master node and set the etcd certificate authority file parameter. 885 --etcd-cafile=<path/to/ca-file> 886 scored: true 887 888 - id: 1.2.33 889 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)" 890 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 891 tests: 892 test_items: 893 - flag: "--encryption-provider-config" 894 set: true 895 remediation: | 896 Follow the Kubernetes documentation and configure a EncryptionConfig file. 897 Then, edit the API server pod specification file $apiserverconf 898 on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File> 899 scored: false 900 901 - id: 1.2.34 902 text: "Ensure that encryption providers are appropriately configured (Not Scored)" 903 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 904 type: "manual" 905 remediation: | 906 Follow the Kubernetes documentation and configure a EncryptionConfig file. 907 In this file, choose aescbc, kms or secretbox as the encryption provider. 908 scored: false 909 910 - id: 1.2.35 911 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" 912 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 913 tests: 914 test_items: 915 - flag: "--tls-cipher-suites" 916 compare: 917 op: valid_elements 918 value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" 919 set: true 920 remediation: | 921 Edit the API server pod specification file $apiserverconf 922 on the master node and set the below parameter. 923 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 924 scored: false 925 926 - id: 1.3 927 text: "Controller Manager" 928 checks: 929 - id: 1.3.1 930 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)" 931 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 932 tests: 933 test_items: 934 - flag: "--terminated-pod-gc-threshold" 935 set: true 936 remediation: | 937 Edit the Controller Manager pod specification file $controllermanagerconf 938 on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, 939 for example: 940 --terminated-pod-gc-threshold=10 941 scored: false 942 943 - id: 1.3.2 944 text: "Ensure that the --profiling argument is set to false (Scored)" 945 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 946 tests: 947 test_items: 948 - flag: "--profiling" 949 compare: 950 op: eq 951 value: false 952 set: true 953 remediation: | 954 Edit the Controller Manager pod specification file $controllermanagerconf 955 on the master node and set the below parameter. 956 --profiling=false 957 scored: true 958 959 - id: 1.3.3 960 text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)" 961 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 962 tests: 963 test_items: 964 - flag: "--use-service-account-credentials" 965 compare: 966 op: noteq 967 value: false 968 set: true 969 remediation: | 970 Edit the Controller Manager pod specification file $controllermanagerconf 971 on the master node to set the below parameter. 972 --use-service-account-credentials=true 973 scored: true 974 975 - id: 1.3.4 976 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" 977 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 978 tests: 979 test_items: 980 - flag: "--service-account-private-key-file" 981 set: true 982 remediation: | 983 Edit the Controller Manager pod specification file $controllermanagerconf 984 on the master node and set the --service-account-private-key-file parameter 985 to the private key file for service accounts. 986 --service-account-private-key-file=<filename> 987 scored: true 988 989 - id: 1.3.5 990 text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" 991 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 992 tests: 993 test_items: 994 - flag: "--root-ca-file" 995 set: true 996 remediation: | 997 Edit the Controller Manager pod specification file $controllermanagerconf 998 on the master node and set the --root-ca-file parameter to the certificate bundle file`. 999 --root-ca-file=<path/to/file> 1000 scored: true 1001 1002 - id: 1.3.6 1003 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 1004 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 1005 tests: 1006 bin_op: or 1007 test_items: 1008 - flag: "--feature-gates" 1009 compare: 1010 op: nothave 1011 value: "RotateKubeletServerCertificate=false" 1012 set: true 1013 - flag: "--feature-gates" 1014 set: false 1015 remediation: | 1016 Edit the Controller Manager pod specification file $controllermanagerconf 1017 on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 1018 --feature-gates=RotateKubeletServerCertificate=true 1019 scored: true 1020 1021 - id: 1.3.7 1022 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Scored)" 1023 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 1024 tests: 1025 bin_op: or 1026 test_items: 1027 - flag: "--bind-address" 1028 compare: 1029 op: eq 1030 value: "127.0.0.1" 1031 set: true 1032 - flag: "--bind-address" 1033 set: false 1034 remediation: | 1035 Edit the Controller Manager pod specification file $controllermanagerconf 1036 on the master node and ensure the correct value for the --bind-address parameter 1037 scored: true 1038 1039 - id: 1.4 1040 text: "Scheduler" 1041 checks: 1042 - id: 1.4.1 1043 text: "Ensure that the --profiling argument is set to false (Scored)" 1044 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 1045 tests: 1046 test_items: 1047 - flag: "--profiling" 1048 compare: 1049 op: eq 1050 value: false 1051 set: true 1052 remediation: | 1053 Edit the Scheduler pod specification file $schedulerconf file 1054 on the master node and set the below parameter. 1055 --profiling=false 1056 scored: true 1057 1058 - id: 1.4.2 1059 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Scored)" 1060 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 1061 tests: 1062 bin_op: or 1063 test_items: 1064 - flag: "--bind-address" 1065 compare: 1066 op: eq 1067 value: "127.0.0.1" 1068 set: true 1069 - flag: "--bind-address" 1070 set: false 1071 remediation: | 1072 Edit the Scheduler pod specification file $schedulerconf 1073 on the master node and ensure the correct value for the --bind-address parameter 1074 scored: true