github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.5/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.5" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 set: true 18 compare: 19 op: bitmask 20 value: "644" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, 24 chmod 644 $kubeletsvc 25 scored: true 26 27 - id: 4.1.2 28 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 29 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 30 tests: 31 bin_op: or 32 test_items: 33 - flag: root:root 34 - flag: "File not found" 35 remediation: | 36 Run the below command (based on the file location on your system) on the each worker node. 37 For example, 38 chown root:root $kubeletsvc 39 scored: true 40 41 - id: 4.1.3 42 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" 43 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 44 tests: 45 bin_op: or 46 test_items: 47 - flag: "permissions" 48 set: true 49 compare: 50 op: bitmask 51 value: "644" 52 remediation: | 53 Run the below command (based on the file location on your system) on the each worker node. 54 For example, 55 chmod 644 $proxykubeconfig 56 scored: true 57 58 - id: 4.1.4 59 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" 60 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 61 tests: 62 bin_op: or 63 test_items: 64 - flag: root:root 65 set: true 66 remediation: | 67 Run the below command (based on the file location on your system) on the each worker node. 68 For example, chown root:root $proxykubeconfig 69 scored: true 70 71 - id: 4.1.5 72 text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" 73 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 74 tests: 75 test_items: 76 - flag: "permissions" 77 set: true 78 compare: 79 op: bitmask 80 value: "644" 81 remediation: | 82 Run the below command (based on the file location on your system) on the each worker node. 83 For example, 84 chmod 644 $kubeletkubeconfig 85 scored: true 86 87 - id: 4.1.6 88 text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" 89 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 90 tests: 91 test_items: 92 - flag: root:root 93 set: true 94 compare: 95 op: eq 96 value: root:root 97 remediation: | 98 Run the below command (based on the file location on your system) on the each worker node. 99 For example, 100 chown root:root $kubeletkubeconfig 101 scored: true 102 103 - id: 4.1.7 104 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" 105 audit: | 106 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 107 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 108 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 109 tests: 110 test_items: 111 - flag: "permissions" 112 set: true 113 compare: 114 op: bitmask 115 value: "644" 116 remediation: | 117 Run the following command to modify the file permissions of the 118 --client-ca-file chmod 644 <filename> 119 scored: true 120 121 - id: 4.1.8 122 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" 123 audit: | 124 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 125 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 126 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 127 tests: 128 test_items: 129 - flag: root:root 130 set: true 131 compare: 132 op: eq 133 value: root:root 134 remediation: | 135 Run the following command to modify the ownership of the --client-ca-file. 136 chown root:root <filename> 137 scored: true 138 139 - id: 4.1.9 140 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" 141 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 142 tests: 143 test_items: 144 - flag: "permissions" 145 set: true 146 compare: 147 op: bitmask 148 value: "644" 149 remediation: | 150 Run the following command (using the config file location identified in the Audit step) 151 chmod 644 $kubeletconf 152 scored: true 153 154 - id: 4.1.10 155 text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" 156 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 157 tests: 158 test_items: 159 - flag: root:root 160 set: true 161 remediation: | 162 Run the following command (using the config file location identified in the Audit step) 163 chown root:root $kubeletconf 164 scored: true 165 166 - id: 4.2 167 text: "Kubelet" 168 checks: 169 - id: 4.2.1 170 text: "Ensure that the anonymous-auth argument is set to false (Scored)" 171 audit: "/bin/ps -fC $kubeletbin" 172 audit_config: "/bin/cat $kubeletconf" 173 tests: 174 test_items: 175 - flag: "--anonymous-auth" 176 path: '{.authentication.anonymous.enabled}' 177 set: true 178 compare: 179 op: eq 180 value: false 181 remediation: | 182 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 183 false. 184 If using executable arguments, edit the kubelet service file 185 $kubeletsvc on each worker node and 186 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 187 --anonymous-auth=false 188 Based on your system, restart the kubelet service. For example: 189 systemctl daemon-reload 190 systemctl restart kubelet.service 191 scored: true 192 193 - id: 4.2.2 194 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" 195 audit: "/bin/ps -fC $kubeletbin" 196 audit_config: "/bin/cat $kubeletconf" 197 tests: 198 test_items: 199 - flag: --authorization-mode 200 path: '{.authorization.mode}' 201 set: true 202 compare: 203 op: nothave 204 value: AlwaysAllow 205 remediation: | 206 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 207 using executable arguments, edit the kubelet service file 208 $kubeletsvc on each worker node and 209 set the below parameter in KUBELET_AUTHZ_ARGS variable. 210 --authorization-mode=Webhook 211 Based on your system, restart the kubelet service. For example: 212 systemctl daemon-reload 213 systemctl restart kubelet.service 214 scored: true 215 216 - id: 4.2.3 217 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" 218 audit: "/bin/ps -fC $kubeletbin" 219 audit_config: "/bin/cat $kubeletconf" 220 tests: 221 test_items: 222 - flag: --client-ca-file 223 path: '{.authentication.x509.clientCAFile}' 224 set: true 225 remediation: | 226 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 227 the location of the client CA file. 228 If using command line arguments, edit the kubelet service file 229 $kubeletsvc on each worker node and 230 set the below parameter in KUBELET_AUTHZ_ARGS variable. 231 --client-ca-file=<path/to/client-ca-file> 232 Based on your system, restart the kubelet service. For example: 233 systemctl daemon-reload 234 systemctl restart kubelet.service 235 scored: true 236 237 - id: 4.2.4 238 text: "Ensure that the --read-only-port argument is set to 0 (Scored)" 239 audit: "/bin/ps -fC $kubeletbin" 240 audit_config: "/bin/cat $kubeletconf" 241 tests: 242 bin_op: or 243 test_items: 244 - flag: "--read-only-port" 245 path: '{.readOnlyPort}' 246 set: true 247 compare: 248 op: eq 249 value: 0 250 - flag: "--read-only-port" 251 path: '{.readOnlyPort}' 252 set: false 253 remediation: | 254 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 255 If using command line arguments, edit the kubelet service file 256 $kubeletsvc on each worker node and 257 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 258 --read-only-port=0 259 Based on your system, restart the kubelet service. For example: 260 systemctl daemon-reload 261 systemctl restart kubelet.service 262 scored: true 263 264 - id: 4.2.5 265 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" 266 audit: "/bin/ps -fC $kubeletbin" 267 audit_config: "/bin/cat $kubeletconf" 268 tests: 269 test_items: 270 - flag: --streaming-connection-idle-timeout 271 path: '{.streamingConnectionIdleTimeout}' 272 set: true 273 compare: 274 op: noteq 275 value: 0 276 - flag: --streaming-connection-idle-timeout 277 path: '{.streamingConnectionIdleTimeout}' 278 set: false 279 bin_op: or 280 remediation: | 281 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 282 value other than 0. 283 If using command line arguments, edit the kubelet service file 284 $kubeletsvc on each worker node and 285 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 286 --streaming-connection-idle-timeout=5m 287 Based on your system, restart the kubelet service. For example: 288 systemctl daemon-reload 289 systemctl restart kubelet.service 290 scored: true 291 292 - id: 4.2.6 293 text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" 294 audit: "/bin/ps -fC $kubeletbin" 295 audit_config: "/bin/cat $kubeletconf" 296 tests: 297 test_items: 298 - flag: --protect-kernel-defaults 299 path: '{.protectKernelDefaults}' 300 set: true 301 compare: 302 op: eq 303 value: true 304 remediation: | 305 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 306 If using command line arguments, edit the kubelet service file 307 $kubeletsvc on each worker node and 308 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 309 --protect-kernel-defaults=true 310 Based on your system, restart the kubelet service. For example: 311 systemctl daemon-reload 312 systemctl restart kubelet.service 313 scored: true 314 315 - id: 4.2.7 316 text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" 317 audit: "/bin/ps -fC $kubeletbin" 318 audit_config: "/bin/cat $kubeletconf" 319 tests: 320 test_items: 321 - flag: --make-iptables-util-chains 322 path: '{.makeIPTablesUtilChains}' 323 set: true 324 compare: 325 op: eq 326 value: true 327 - flag: --make-iptables-util-chains 328 path: '{.makeIPTablesUtilChains}' 329 set: false 330 bin_op: or 331 remediation: | 332 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 333 If using command line arguments, edit the kubelet service file 334 $kubeletsvc on each worker node and 335 remove the --make-iptables-util-chains argument from the 336 KUBELET_SYSTEM_PODS_ARGS variable. 337 Based on your system, restart the kubelet service. For example: 338 systemctl daemon-reload 339 systemctl restart kubelet.service 340 scored: true 341 342 - id: 4.2.8 343 text: "Ensure that the --hostname-override argument is not set (Not Scored)" 344 # This is one of those properties that can only be set as a command line argument. 345 # To check if the property is set as expected, we need to parse the kubelet command 346 # instead reading the Kubelet Configuration file. 347 audit: "/bin/ps -fC $kubeletbin " 348 tests: 349 test_items: 350 - flag: --hostname-override 351 set: false 352 remediation: | 353 Edit the kubelet service file $kubeletsvc 354 on each worker node and remove the --hostname-override argument from the 355 KUBELET_SYSTEM_PODS_ARGS variable. 356 Based on your system, restart the kubelet service. For example: 357 systemctl daemon-reload 358 systemctl restart kubelet.service 359 scored: false 360 361 - id: 4.2.9 362 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)" 363 audit: "/bin/ps -fC $kubeletbin" 364 audit_config: "/bin/cat $kubeletconf" 365 tests: 366 test_items: 367 - flag: --event-qps 368 path: '{.eventRecordQPS}' 369 set: true 370 compare: 371 op: eq 372 value: 0 373 remediation: | 374 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 375 If using command line arguments, edit the kubelet service file 376 $kubeletsvc on each worker node and 377 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 378 Based on your system, restart the kubelet service. For example: 379 systemctl daemon-reload 380 systemctl restart kubelet.service 381 scored: false 382 383 - id: 4.2.10 384 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" 385 audit: "/bin/ps -fC $kubeletbin" 386 audit_config: "/bin/cat $kubeletconf" 387 tests: 388 test_items: 389 - flag: --tls-cert-file 390 path: '{.tlsCertFile}' 391 set: true 392 - flag: --tls-private-key-file 393 path: '{.tlsPrivateKeyFile}' 394 set: true 395 remediation: | 396 If using a Kubelet config file, edit the file to set tlsCertFile to the location 397 of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile 398 to the location of the corresponding private key file. 399 If using command line arguments, edit the kubelet service file 400 $kubeletsvc on each worker node and 401 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 402 --tls-cert-file=<path/to/tls-certificate-file> 403 --tls-private-key-file=<path/to/tls-key-file> 404 Based on your system, restart the kubelet service. For example: 405 systemctl daemon-reload 406 systemctl restart kubelet.service 407 scored: true 408 409 - id: 4.2.11 410 text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" 411 audit: "/bin/ps -fC $kubeletbin" 412 audit_config: "/bin/cat $kubeletconf" 413 tests: 414 test_items: 415 - flag: --rotate-certificates 416 path: '{.rotateCertificates}' 417 set: true 418 compare: 419 op: eq 420 value: true 421 - flag: --rotate-certificates 422 path: '{.rotateCertificates}' 423 set: false 424 bin_op: or 425 remediation: | 426 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 427 remove it altogether to use the default value. 428 If using command line arguments, edit the kubelet service file 429 $kubeletsvc on each worker node and 430 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 431 variable. 432 Based on your system, restart the kubelet service. For example: 433 systemctl daemon-reload 434 systemctl restart kubelet.service 435 scored: true 436 437 - id: 4.2.12 438 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 439 audit: "/bin/ps -fC $kubeletbin" 440 audit_config: "/bin/cat $kubeletconf" 441 tests: 442 bin_op: or 443 test_items: 444 - flag: RotateKubeletServerCertificate 445 path: '{.featureGates.RotateKubeletServerCertificate}' 446 set: true 447 compare: 448 op: nothave 449 value: false 450 - flag: RotateKubeletServerCertificate 451 path: '{.featureGates.RotateKubeletServerCertificate}' 452 set: false 453 remediation: | 454 Edit the kubelet service file $kubeletsvc 455 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 456 --feature-gates=RotateKubeletServerCertificate=true 457 Based on your system, restart the kubelet service. For example: 458 systemctl daemon-reload 459 systemctl restart kubelet.service 460 scored: true 461 462 - id: 4.2.13 463 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" 464 audit: "/bin/ps -fC $kubeletbin" 465 audit_config: "/bin/cat $kubeletconf" 466 tests: 467 test_items: 468 - flag: --tls-cipher-suites 469 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 470 set: true 471 compare: 472 op: valid_elements 473 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 474 remediation: | 475 If using a Kubelet config file, edit the file to set TLSCipherSuites: to 476 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 477 or to a subset of these values. 478 If using executable arguments, edit the kubelet service file 479 $kubeletsvc on each worker node and 480 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 481 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 482 Based on your system, restart the kubelet service. For example: 483 systemctl daemon-reload 484 systemctl restart kubelet.service 485 scored: false