github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.8/node.yaml (about) 1 --- 2 controls: 3 version: "cis-1.8" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "600" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, chmod 600 $kubeletsvc 23 scored: true 24 25 - id: 4.1.2 26 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 27 audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"' 28 tests: 29 bin_op: or 30 test_items: 31 - flag: root:root 32 - flag: "File not found" 33 remediation: | 34 Run the below command (based on the file location on your system) on the each worker node. 35 For example, 36 chown root:root $kubeletsvc 37 scored: true 38 39 - id: 4.1.3 40 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 41 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 42 tests: 43 bin_op: or 44 test_items: 45 - flag: "permissions" 46 set: true 47 compare: 48 op: bitmask 49 value: "600" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 600 $proxykubeconfig 54 scored: false 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: false 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 70 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 71 tests: 72 test_items: 73 - flag: "permissions" 74 compare: 75 op: bitmask 76 value: "600" 77 remediation: | 78 Run the below command (based on the file location on your system) on the each worker node. 79 For example, 80 chmod 600 $kubeletkubeconfig 81 scored: true 82 83 - id: 4.1.6 84 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 85 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 86 tests: 87 test_items: 88 - flag: root:root 89 remediation: | 90 Run the below command (based on the file location on your system) on the each worker node. 91 For example, 92 chown root:root $kubeletkubeconfig 93 scored: true 94 95 - id: 4.1.7 96 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 97 audit: | 98 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 99 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 100 if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi 101 tests: 102 test_items: 103 - flag: "permissions" 104 compare: 105 op: bitmask 106 value: "600" 107 remediation: | 108 Run the following command to modify the file permissions of the 109 --client-ca-file chmod 600 <filename> 110 scored: false 111 112 - id: 4.1.8 113 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 114 audit: | 115 CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) 116 if test -z $CAFILE; then CAFILE=$kubeletcafile; fi 117 if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi 118 tests: 119 test_items: 120 - flag: root:root 121 compare: 122 op: eq 123 value: root:root 124 remediation: | 125 Run the following command to modify the ownership of the --client-ca-file. 126 chown root:root <filename> 127 scored: false 128 129 - id: 4.1.9 130 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)" 131 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 132 tests: 133 test_items: 134 - flag: "permissions" 135 compare: 136 op: bitmask 137 value: "600" 138 remediation: | 139 Run the following command (using the config file location identified in the Audit step) 140 chmod 600 $kubeletconf 141 scored: true 142 143 - id: 4.1.10 144 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)" 145 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 146 tests: 147 test_items: 148 - flag: root:root 149 remediation: | 150 Run the following command (using the config file location identified in the Audit step) 151 chown root:root $kubeletconf 152 scored: true 153 154 - id: 4.2 155 text: "Kubelet" 156 checks: 157 - id: 4.2.1 158 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 159 audit: "/bin/ps -fC $kubeletbin" 160 audit_config: "/bin/cat $kubeletconf" 161 tests: 162 test_items: 163 - flag: "--anonymous-auth" 164 path: '{.authentication.anonymous.enabled}' 165 compare: 166 op: eq 167 value: false 168 remediation: | 169 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 170 `false`. 171 If using executable arguments, edit the kubelet service file 172 $kubeletsvc on each worker node and 173 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 174 `--anonymous-auth=false` 175 Based on your system, restart the kubelet service. For example, 176 systemctl daemon-reload 177 systemctl restart kubelet.service 178 scored: true 179 180 - id: 4.2.2 181 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 182 audit: "/bin/ps -fC $kubeletbin" 183 audit_config: "/bin/cat $kubeletconf" 184 tests: 185 test_items: 186 - flag: --authorization-mode 187 path: '{.authorization.mode}' 188 compare: 189 op: nothave 190 value: AlwaysAllow 191 remediation: | 192 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 193 using executable arguments, edit the kubelet service file 194 $kubeletsvc on each worker node and 195 set the below parameter in KUBELET_AUTHZ_ARGS variable. 196 --authorization-mode=Webhook 197 Based on your system, restart the kubelet service. For example, 198 systemctl daemon-reload 199 systemctl restart kubelet.service 200 scored: true 201 202 - id: 4.2.3 203 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 204 audit: "/bin/ps -fC $kubeletbin" 205 audit_config: "/bin/cat $kubeletconf" 206 tests: 207 test_items: 208 - flag: --client-ca-file 209 path: '{.authentication.x509.clientCAFile}' 210 remediation: | 211 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 212 the location of the client CA file. 213 If using command line arguments, edit the kubelet service file 214 $kubeletsvc on each worker node and 215 set the below parameter in KUBELET_AUTHZ_ARGS variable. 216 --client-ca-file=<path/to/client-ca-file> 217 Based on your system, restart the kubelet service. For example, 218 systemctl daemon-reload 219 systemctl restart kubelet.service 220 scored: true 221 222 - id: 4.2.4 223 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 224 audit: "/bin/ps -fC $kubeletbin" 225 audit_config: "/bin/cat $kubeletconf" 226 tests: 227 bin_op: or 228 test_items: 229 - flag: "--read-only-port" 230 path: '{.readOnlyPort}' 231 compare: 232 op: eq 233 value: 0 234 - flag: "--read-only-port" 235 path: '{.readOnlyPort}' 236 set: false 237 remediation: | 238 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 239 If using command line arguments, edit the kubelet service file 240 $kubeletsvc on each worker node and 241 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 242 --read-only-port=0 243 Based on your system, restart the kubelet service. For example, 244 systemctl daemon-reload 245 systemctl restart kubelet.service 246 scored: false 247 248 - id: 4.2.5 249 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 250 audit: "/bin/ps -fC $kubeletbin" 251 audit_config: "/bin/cat $kubeletconf" 252 tests: 253 test_items: 254 - flag: --streaming-connection-idle-timeout 255 path: '{.streamingConnectionIdleTimeout}' 256 compare: 257 op: noteq 258 value: 0 259 - flag: --streaming-connection-idle-timeout 260 path: '{.streamingConnectionIdleTimeout}' 261 set: false 262 bin_op: or 263 remediation: | 264 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 265 value other than 0. 266 If using command line arguments, edit the kubelet service file 267 $kubeletsvc on each worker node and 268 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 269 --streaming-connection-idle-timeout=5m 270 Based on your system, restart the kubelet service. For example, 271 systemctl daemon-reload 272 systemctl restart kubelet.service 273 scored: false 274 275 - id: 4.2.6 276 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 277 audit: "/bin/ps -fC $kubeletbin" 278 audit_config: "/bin/cat $kubeletconf" 279 tests: 280 test_items: 281 - flag: --make-iptables-util-chains 282 path: '{.makeIPTablesUtilChains}' 283 compare: 284 op: eq 285 value: true 286 - flag: --make-iptables-util-chains 287 path: '{.makeIPTablesUtilChains}' 288 set: false 289 bin_op: or 290 remediation: | 291 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 292 If using command line arguments, edit the kubelet service file 293 $kubeletsvc on each worker node and 294 remove the --make-iptables-util-chains argument from the 295 KUBELET_SYSTEM_PODS_ARGS variable. 296 Based on your system, restart the kubelet service. For example: 297 systemctl daemon-reload 298 systemctl restart kubelet.service 299 scored: true 300 301 - id: 4.2.7 302 text: "Ensure that the --hostname-override argument is not set (Manual)" 303 # This is one of those properties that can only be set as a command line argument. 304 # To check if the property is set as expected, we need to parse the kubelet command 305 # instead reading the Kubelet Configuration file. 306 audit: "/bin/ps -fC $kubeletbin " 307 tests: 308 test_items: 309 - flag: --hostname-override 310 set: false 311 remediation: | 312 Edit the kubelet service file $kubeletsvc 313 on each worker node and remove the --hostname-override argument from the 314 KUBELET_SYSTEM_PODS_ARGS variable. 315 Based on your system, restart the kubelet service. For example, 316 systemctl daemon-reload 317 systemctl restart kubelet.service 318 scored: false 319 320 - id: 4.2.8 321 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 322 audit: "/bin/ps -fC $kubeletbin" 323 audit_config: "/bin/cat $kubeletconf" 324 tests: 325 test_items: 326 - flag: --event-qps 327 path: '{.eventRecordQPS}' 328 compare: 329 op: gte 330 value: 0 331 - flag: --event-qps 332 path: '{.eventRecordQPS}' 333 set: false 334 bin_op: or 335 remediation: | 336 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 337 If using command line arguments, edit the kubelet service file 338 $kubeletsvc on each worker node and 339 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 340 Based on your system, restart the kubelet service. For example, 341 systemctl daemon-reload 342 systemctl restart kubelet.service 343 scored: false 344 345 - id: 4.2.9 346 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 347 audit: "/bin/ps -fC $kubeletbin" 348 audit_config: "/bin/cat $kubeletconf" 349 tests: 350 test_items: 351 - flag: --tls-cert-file 352 path: '{.tlsCertFile}' 353 - flag: --tls-private-key-file 354 path: '{.tlsPrivateKeyFile}' 355 remediation: | 356 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 357 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 358 to the location of the corresponding private key file. 359 If using command line arguments, edit the kubelet service file 360 $kubeletsvc on each worker node and 361 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 362 --tls-cert-file=<path/to/tls-certificate-file> 363 --tls-private-key-file=<path/to/tls-key-file> 364 Based on your system, restart the kubelet service. For example, 365 systemctl daemon-reload 366 systemctl restart kubelet.service 367 scored: false 368 369 - id: 4.2.10 370 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 371 audit: "/bin/ps -fC $kubeletbin" 372 audit_config: "/bin/cat $kubeletconf" 373 tests: 374 test_items: 375 - flag: --rotate-certificates 376 path: '{.rotateCertificates}' 377 compare: 378 op: eq 379 value: true 380 - flag: --rotate-certificates 381 path: '{.rotateCertificates}' 382 set: false 383 bin_op: or 384 remediation: | 385 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 386 remove it altogether to use the default value. 387 If using command line arguments, edit the kubelet service file 388 $kubeletsvc on each worker node and 389 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 390 variable. 391 Based on your system, restart the kubelet service. For example, 392 systemctl daemon-reload 393 systemctl restart kubelet.service 394 scored: true 395 396 - id: 4.2.11 397 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 398 audit: "/bin/ps -fC $kubeletbin" 399 audit_config: "/bin/cat $kubeletconf" 400 tests: 401 bin_op: or 402 test_items: 403 - flag: RotateKubeletServerCertificate 404 path: '{.featureGates.RotateKubeletServerCertificate}' 405 compare: 406 op: nothave 407 value: false 408 - flag: RotateKubeletServerCertificate 409 path: '{.featureGates.RotateKubeletServerCertificate}' 410 set: false 411 remediation: | 412 Edit the kubelet service file $kubeletsvc 413 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 414 --feature-gates=RotateKubeletServerCertificate=true 415 Based on your system, restart the kubelet service. For example: 416 systemctl daemon-reload 417 systemctl restart kubelet.service 418 scored: false 419 420 - id: 4.2.12 421 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 422 audit: "/bin/ps -fC $kubeletbin" 423 audit_config: "/bin/cat $kubeletconf" 424 tests: 425 test_items: 426 - flag: --tls-cipher-suites 427 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 428 compare: 429 op: valid_elements 430 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 431 remediation: | 432 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 433 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 434 or to a subset of these values. 435 If using executable arguments, edit the kubelet service file 436 $kubeletsvc on each worker node and 437 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 438 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 439 Based on your system, restart the kubelet service. For example: 440 systemctl daemon-reload 441 systemctl restart kubelet.service 442 scored: false 443 444 - id: 4.2.13 445 text: "Ensure that a limit is set on pod PIDs (Manual)" 446 audit: "/bin/ps -fC $kubeletbin" 447 audit_config: "/bin/cat $kubeletconf" 448 tests: 449 test_items: 450 - flag: --pod-max-pids 451 path: '{.podPidsLimit}' 452 remediation: | 453 Decide on an appropriate level for this parameter and set it, 454 either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting. 455 scored: false