github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.6" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, 23 chmod 644 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 29 tests: 30 bin_op: or 31 test_items: 32 - flag: root:root 33 - flag: "File not found" 34 remediation: | 35 Run the below command (based on the file location on your system) on the each worker node. 36 For example, 37 chown root:root $kubeletsvc 38 scored: true 39 40 - id: 4.1.3 41 text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)" 42 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 43 tests: 44 bin_op: or 45 test_items: 46 - flag: "permissions" 47 set: true 48 compare: 49 op: bitmask 50 value: "644" 51 - flag: "$proxykubeconfig" 52 set: false 53 remediation: | 54 Run the below command (based on the file location on your system) on the each worker node. 55 For example, 56 chmod 644 $proxykubeconfig 57 scored: false 58 59 - id: 4.1.4 60 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)" 61 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 62 tests: 63 bin_op: or 64 test_items: 65 - flag: root:root 66 - flag: "$proxykubeconfig" 67 set: false 68 remediation: | 69 Run the below command (based on the file location on your system) on the each worker node. 70 For example, chown root:root $proxykubeconfig 71 scored: false 72 73 - id: 4.1.5 74 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 75 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 76 tests: 77 test_items: 78 - flag: "permissions" 79 compare: 80 op: bitmask 81 value: "644" 82 remediation: | 83 Run the below command (based on the file location on your system) on the each worker node. 84 For example, 85 chmod 644 $kubeletkubeconfig 86 scored: true 87 88 - id: 4.1.6 89 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)" 90 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 91 tests: 92 test_items: 93 - flag: root:root 94 remediation: | 95 Run the below command (based on the file location on your system) on the each worker node. 96 For example, 97 chown root:root $kubeletkubeconfig 98 scored: false 99 100 - id: 4.1.7 101 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" 102 audit: | 103 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 104 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 105 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 106 tests: 107 test_items: 108 - flag: "permissions" 109 compare: 110 op: bitmask 111 value: "644" 112 remediation: | 113 Run the following command to modify the file permissions of the 114 --client-ca-file chmod 644 <filename> 115 scored: false 116 117 - id: 4.1.8 118 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 119 audit: | 120 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 121 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 122 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 123 tests: 124 test_items: 125 - flag: root:root 126 compare: 127 op: eq 128 value: root:root 129 remediation: | 130 Run the following command to modify the ownership of the --client-ca-file. 131 chown root:root <filename> 132 scored: false 133 134 - id: 4.1.9 135 text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)" 136 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 137 tests: 138 test_items: 139 - flag: "permissions" 140 compare: 141 op: bitmask 142 value: "644" 143 remediation: | 144 Run the following command (using the config file location identified in the Audit step) 145 chmod 644 $kubeletconf 146 scored: true 147 148 - id: 4.1.10 149 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 150 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 151 tests: 152 test_items: 153 - flag: root:root 154 remediation: | 155 Run the following command (using the config file location identified in the Audit step) 156 chown root:root $kubeletconf 157 scored: true 158 159 - id: 4.2 160 text: "Kubelet" 161 checks: 162 - id: 4.2.1 163 text: "Ensure that the anonymous-auth argument is set to false (Automated)" 164 audit: "/bin/ps -fC $kubeletbin" 165 audit_config: "/bin/cat $kubeletconf" 166 tests: 167 test_items: 168 - flag: "--anonymous-auth" 169 path: '{.authentication.anonymous.enabled}' 170 compare: 171 op: eq 172 value: false 173 remediation: | 174 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 175 false. 176 If using executable arguments, edit the kubelet service file 177 $kubeletsvc on each worker node and 178 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 179 --anonymous-auth=false 180 Based on your system, restart the kubelet service. For example: 181 systemctl daemon-reload 182 systemctl restart kubelet.service 183 scored: true 184 185 - id: 4.2.2 186 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 187 audit: "/bin/ps -fC $kubeletbin" 188 audit_config: "/bin/cat $kubeletconf" 189 tests: 190 test_items: 191 - flag: --authorization-mode 192 path: '{.authorization.mode}' 193 compare: 194 op: nothave 195 value: AlwaysAllow 196 remediation: | 197 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 198 using executable arguments, edit the kubelet service file 199 $kubeletsvc on each worker node and 200 set the below parameter in KUBELET_AUTHZ_ARGS variable. 201 --authorization-mode=Webhook 202 Based on your system, restart the kubelet service. For example: 203 systemctl daemon-reload 204 systemctl restart kubelet.service 205 scored: true 206 207 - id: 4.2.3 208 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 209 audit: "/bin/ps -fC $kubeletbin" 210 audit_config: "/bin/cat $kubeletconf" 211 tests: 212 test_items: 213 - flag: --client-ca-file 214 path: '{.authentication.x509.clientCAFile}' 215 remediation: | 216 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 217 the location of the client CA file. 218 If using command line arguments, edit the kubelet service file 219 $kubeletsvc on each worker node and 220 set the below parameter in KUBELET_AUTHZ_ARGS variable. 221 --client-ca-file=<path/to/client-ca-file> 222 Based on your system, restart the kubelet service. For example: 223 systemctl daemon-reload 224 systemctl restart kubelet.service 225 scored: true 226 227 - id: 4.2.4 228 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 229 audit: "/bin/ps -fC $kubeletbin" 230 audit_config: "/bin/cat $kubeletconf" 231 tests: 232 bin_op: or 233 test_items: 234 - flag: "--read-only-port" 235 path: '{.readOnlyPort}' 236 compare: 237 op: eq 238 value: 0 239 - flag: "--read-only-port" 240 path: '{.readOnlyPort}' 241 set: false 242 remediation: | 243 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 244 If using command line arguments, edit the kubelet service file 245 $kubeletsvc on each worker node and 246 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 247 --read-only-port=0 248 Based on your system, restart the kubelet service. For example: 249 systemctl daemon-reload 250 systemctl restart kubelet.service 251 scored: false 252 253 - id: 4.2.5 254 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 255 audit: "/bin/ps -fC $kubeletbin" 256 audit_config: "/bin/cat $kubeletconf" 257 tests: 258 test_items: 259 - flag: --streaming-connection-idle-timeout 260 path: '{.streamingConnectionIdleTimeout}' 261 compare: 262 op: noteq 263 value: 0 264 - flag: --streaming-connection-idle-timeout 265 path: '{.streamingConnectionIdleTimeout}' 266 set: false 267 bin_op: or 268 remediation: | 269 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 270 value other than 0. 271 If using command line arguments, edit the kubelet service file 272 $kubeletsvc on each worker node and 273 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 274 --streaming-connection-idle-timeout=5m 275 Based on your system, restart the kubelet service. For example: 276 systemctl daemon-reload 277 systemctl restart kubelet.service 278 scored: false 279 280 - id: 4.2.6 281 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 282 audit: "/bin/ps -fC $kubeletbin" 283 audit_config: "/bin/cat $kubeletconf" 284 tests: 285 test_items: 286 - flag: --protect-kernel-defaults 287 path: '{.protectKernelDefaults}' 288 compare: 289 op: eq 290 value: true 291 remediation: | 292 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 293 If using command line arguments, edit the kubelet service file 294 $kubeletsvc on each worker node and 295 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 296 --protect-kernel-defaults=true 297 Based on your system, restart the kubelet service. For example: 298 systemctl daemon-reload 299 systemctl restart kubelet.service 300 scored: true 301 302 - id: 4.2.7 303 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 304 audit: "/bin/ps -fC $kubeletbin" 305 audit_config: "/bin/cat $kubeletconf" 306 tests: 307 test_items: 308 - flag: --make-iptables-util-chains 309 path: '{.makeIPTablesUtilChains}' 310 compare: 311 op: eq 312 value: true 313 - flag: --make-iptables-util-chains 314 path: '{.makeIPTablesUtilChains}' 315 set: false 316 bin_op: or 317 remediation: | 318 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 319 If using command line arguments, edit the kubelet service file 320 $kubeletsvc on each worker node and 321 remove the --make-iptables-util-chains argument from the 322 KUBELET_SYSTEM_PODS_ARGS variable. 323 Based on your system, restart the kubelet service. For example: 324 systemctl daemon-reload 325 systemctl restart kubelet.service 326 scored: true 327 328 - id: 4.2.8 329 text: "Ensure that the --hostname-override argument is not set (Manual)" 330 # This is one of those properties that can only be set as a command line argument. 331 # To check if the property is set as expected, we need to parse the kubelet command 332 # instead reading the Kubelet Configuration file. 333 audit: "/bin/ps -fC $kubeletbin " 334 tests: 335 test_items: 336 - flag: --hostname-override 337 set: false 338 remediation: | 339 Edit the kubelet service file $kubeletsvc 340 on each worker node and remove the --hostname-override argument from the 341 KUBELET_SYSTEM_PODS_ARGS variable. 342 Based on your system, restart the kubelet service. For example: 343 systemctl daemon-reload 344 systemctl restart kubelet.service 345 scored: false 346 347 - id: 4.2.9 348 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 349 audit: "/bin/ps -fC $kubeletbin" 350 audit_config: "/bin/cat $kubeletconf" 351 tests: 352 test_items: 353 - flag: --event-qps 354 path: '{.eventRecordQPS}' 355 compare: 356 op: eq 357 value: 0 358 remediation: | 359 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 360 If using command line arguments, edit the kubelet service file 361 $kubeletsvc on each worker node and 362 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 363 Based on your system, restart the kubelet service. For example: 364 systemctl daemon-reload 365 systemctl restart kubelet.service 366 scored: false 367 368 - id: 4.2.10 369 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 370 audit: "/bin/ps -fC $kubeletbin" 371 audit_config: "/bin/cat $kubeletconf" 372 tests: 373 test_items: 374 - flag: --tls-cert-file 375 path: '{.tlsCertFile}' 376 - flag: --tls-private-key-file 377 path: '{.tlsPrivateKeyFile}' 378 remediation: | 379 If using a Kubelet config file, edit the file to set tlsCertFile to the location 380 of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile 381 to the location of the corresponding private key file. 382 If using command line arguments, edit the kubelet service file 383 $kubeletsvc on each worker node and 384 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 385 --tls-cert-file=<path/to/tls-certificate-file> 386 --tls-private-key-file=<path/to/tls-key-file> 387 Based on your system, restart the kubelet service. For example: 388 systemctl daemon-reload 389 systemctl restart kubelet.service 390 scored: false 391 392 - id: 4.2.11 393 text: "Ensure that the --rotate-certificates argument is not set to false (Manual)" 394 audit: "/bin/ps -fC $kubeletbin" 395 audit_config: "/bin/cat $kubeletconf" 396 tests: 397 test_items: 398 - flag: --rotate-certificates 399 path: '{.rotateCertificates}' 400 compare: 401 op: eq 402 value: true 403 - flag: --rotate-certificates 404 path: '{.rotateCertificates}' 405 set: false 406 bin_op: or 407 remediation: | 408 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 409 remove it altogether to use the default value. 410 If using command line arguments, edit the kubelet service file 411 $kubeletsvc on each worker node and 412 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 413 variable. 414 Based on your system, restart the kubelet service. For example: 415 systemctl daemon-reload 416 systemctl restart kubelet.service 417 scored: false 418 419 - id: 4.2.12 420 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 421 audit: "/bin/ps -fC $kubeletbin" 422 audit_config: "/bin/cat $kubeletconf" 423 tests: 424 bin_op: or 425 test_items: 426 - flag: RotateKubeletServerCertificate 427 path: '{.featureGates.RotateKubeletServerCertificate}' 428 compare: 429 op: nothave 430 value: false 431 - flag: RotateKubeletServerCertificate 432 path: '{.featureGates.RotateKubeletServerCertificate}' 433 set: false 434 remediation: | 435 Edit the kubelet service file $kubeletsvc 436 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 437 --feature-gates=RotateKubeletServerCertificate=true 438 Based on your system, restart the kubelet service. For example: 439 systemctl daemon-reload 440 systemctl restart kubelet.service 441 scored: false 442 443 - id: 4.2.13 444 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 445 audit: "/bin/ps -fC $kubeletbin" 446 audit_config: "/bin/cat $kubeletconf" 447 tests: 448 test_items: 449 - flag: --tls-cipher-suites 450 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 451 compare: 452 op: valid_elements 453 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 454 remediation: | 455 If using a Kubelet config file, edit the file to set TLSCipherSuites: to 456 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 457 or to a subset of these values. 458 If using executable arguments, edit the kubelet service file 459 $kubeletsvc on each worker node and 460 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 461 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 462 Based on your system, restart the kubelet service. For example: 463 systemctl daemon-reload 464 systemctl restart kubelet.service 465 scored: false