github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-1.2.0/node.yaml (about) 1 --- 2 controls: 3 version: "eks-1.2.0" 4 id: 3 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 3.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 3.1.1 12 text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)" 13 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 14 tests: 15 test_items: 16 - flag: "permissions" 17 compare: 18 op: bitmask 19 value: "644" 20 remediation: | 21 Run the below command (based on the file location on your system) on the each worker node. 22 For example, 23 chmod 644 $kubeletkubeconfig 24 scored: false 25 26 - id: 3.1.2 27 text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)" 28 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 29 tests: 30 test_items: 31 - flag: root:root 32 remediation: | 33 Run the below command (based on the file location on your system) on the each worker node. 34 For example, 35 chown root:root $kubeletkubeconfig 36 scored: false 37 38 - id: 3.1.3 39 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)" 40 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 41 tests: 42 test_items: 43 - flag: "permissions" 44 compare: 45 op: bitmask 46 value: "644" 47 remediation: | 48 Run the following command (using the config file location identified in the Audit step) 49 chmod 644 $kubeletconf 50 scored: false 51 52 - id: 3.1.4 53 text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)" 54 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 55 tests: 56 test_items: 57 - flag: root:root 58 remediation: | 59 Run the following command (using the config file location identified in the Audit step) 60 chown root:root $kubeletconf 61 scored: false 62 63 - id: 3.2 64 text: "Kubelet" 65 checks: 66 - id: 3.2.1 67 text: "Ensure that the Anonymous Auth is Not Enabled (Automated)" 68 audit: "/bin/ps -fC $kubeletbin" 69 audit_config: "/bin/cat $kubeletconf" 70 tests: 71 test_items: 72 - flag: "--anonymous-auth" 73 path: '{.authentication.anonymous.enabled}' 74 set: true 75 compare: 76 op: eq 77 value: false 78 remediation: | 79 If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to 80 false. 81 If using executable arguments, edit the kubelet service file 82 $kubeletsvc on each worker node and 83 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 84 --anonymous-auth=false 85 Based on your system, restart the kubelet service. For example: 86 systemctl daemon-reload 87 systemctl restart kubelet.service 88 scored: true 89 90 - id: 3.2.2 91 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 92 audit: "/bin/ps -fC $kubeletbin" 93 audit_config: "/bin/cat $kubeletconf" 94 tests: 95 test_items: 96 - flag: --authorization-mode 97 path: '{.authorization.mode}' 98 set: true 99 compare: 100 op: nothave 101 value: AlwaysAllow 102 remediation: | 103 If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If 104 using executable arguments, edit the kubelet service file 105 $kubeletsvc on each worker node and 106 set the below parameter in KUBELET_AUTHZ_ARGS variable. 107 --authorization-mode=Webhook 108 Based on your system, restart the kubelet service. For example: 109 systemctl daemon-reload 110 systemctl restart kubelet.service 111 scored: true 112 113 - id: 3.2.3 114 text: "Ensure that a Client CA File is Configured (Manual)" 115 audit: "/bin/ps -fC $kubeletbin" 116 audit_config: "/bin/cat $kubeletconf" 117 tests: 118 test_items: 119 - flag: --client-ca-file 120 path: '{.authentication.x509.clientCAFile}' 121 set: true 122 remediation: | 123 If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to 124 the location of the client CA file. 125 If using command line arguments, edit the kubelet service file 126 $kubeletsvc on each worker node and 127 set the below parameter in KUBELET_AUTHZ_ARGS variable. 128 --client-ca-file=<path/to/client-ca-file> 129 Based on your system, restart the kubelet service. For example: 130 systemctl daemon-reload 131 systemctl restart kubelet.service 132 scored: false 133 134 - id: 3.2.4 135 text: "Ensure that the --read-only-port is disabled (Manual)" 136 audit: "/bin/ps -fC $kubeletbin" 137 audit_config: "/bin/cat $kubeletconf" 138 tests: 139 test_items: 140 - flag: "--read-only-port" 141 path: '{.readOnlyPort}' 142 set: true 143 compare: 144 op: eq 145 value: 0 146 remediation: | 147 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 148 If using command line arguments, edit the kubelet service file 149 $kubeletsvc on each worker node and 150 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 151 --read-only-port=0 152 Based on your system, restart the kubelet service. For example: 153 systemctl daemon-reload 154 systemctl restart kubelet.service 155 scored: false 156 157 - id: 3.2.5 158 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)" 159 audit: "/bin/ps -fC $kubeletbin" 160 audit_config: "/bin/cat $kubeletconf" 161 tests: 162 test_items: 163 - flag: --streaming-connection-idle-timeout 164 path: '{.streamingConnectionIdleTimeout}' 165 set: true 166 compare: 167 op: noteq 168 value: 0 169 - flag: --streaming-connection-idle-timeout 170 path: '{.streamingConnectionIdleTimeout}' 171 set: false 172 bin_op: or 173 remediation: | 174 If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a 175 value other than 0. 176 If using command line arguments, edit the kubelet service file 177 $kubeletsvc on each worker node and 178 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 179 --streaming-connection-idle-timeout=5m 180 Based on your system, restart the kubelet service. For example: 181 systemctl daemon-reload 182 systemctl restart kubelet.service 183 scored: true 184 185 - id: 3.2.6 186 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 187 audit: "/bin/ps -fC $kubeletbin" 188 audit_config: "/bin/cat $kubeletconf" 189 tests: 190 test_items: 191 - flag: --protect-kernel-defaults 192 path: '{.protectKernelDefaults}' 193 set: true 194 compare: 195 op: eq 196 value: true 197 remediation: | 198 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 199 If using command line arguments, edit the kubelet service file 200 $kubeletsvc on each worker node and 201 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 202 --protect-kernel-defaults=true 203 Based on your system, restart the kubelet service. For example: 204 systemctl daemon-reload 205 systemctl restart kubelet.service 206 scored: true 207 208 - id: 3.2.7 209 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) " 210 audit: "/bin/ps -fC $kubeletbin" 211 audit_config: "/bin/cat $kubeletconf" 212 tests: 213 test_items: 214 - flag: --make-iptables-util-chains 215 path: '{.makeIPTablesUtilChains}' 216 set: true 217 compare: 218 op: eq 219 value: true 220 - flag: --make-iptables-util-chains 221 path: '{.makeIPTablesUtilChains}' 222 set: false 223 bin_op: or 224 remediation: | 225 If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true. 226 If using command line arguments, edit the kubelet service file 227 $kubeletsvc on each worker node and 228 remove the --make-iptables-util-chains argument from the 229 KUBELET_SYSTEM_PODS_ARGS variable. 230 Based on your system, restart the kubelet service. For example: 231 systemctl daemon-reload 232 systemctl restart kubelet.service 233 scored: true 234 235 - id: 3.2.8 236 text: "Ensure that the --hostname-override argument is not set (Manual)" 237 # This is one of those properties that can only be set as a command line argument. 238 # To check if the property is set as expected, we need to parse the kubelet command 239 # instead reading the Kubelet Configuration file. 240 audit: "/bin/ps -fC $kubeletbin " 241 tests: 242 test_items: 243 - flag: --hostname-override 244 set: false 245 remediation: | 246 Edit the kubelet service file $kubeletsvc 247 on each worker node and remove the --hostname-override argument from the 248 KUBELET_SYSTEM_PODS_ARGS variable. 249 Based on your system, restart the kubelet service. For example: 250 systemctl daemon-reload 251 systemctl restart kubelet.service 252 scored: false 253 254 - id: 3.2.9 255 text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)" 256 audit: "/bin/ps -fC $kubeletbin" 257 audit_config: "/bin/cat $kubeletconf" 258 tests: 259 test_items: 260 - flag: --event-qps 261 path: '{.eventRecordQPS}' 262 set: true 263 compare: 264 op: gte 265 value: 0 266 remediation: | 267 If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level. 268 If using command line arguments, edit the kubelet service file 269 $kubeletsvc on each worker node and 270 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 271 Based on your system, restart the kubelet service. For example: 272 systemctl daemon-reload 273 systemctl restart kubelet.service 274 scored: false 275 276 - id: 3.2.10 277 text: "Ensure that the --rotate-certificates argument is not present or is set to true (Manual)" 278 audit: "/bin/ps -fC $kubeletbin" 279 audit_config: "/bin/cat $kubeletconf" 280 tests: 281 test_items: 282 - flag: --rotate-certificates 283 path: '{.rotateCertificates}' 284 set: true 285 compare: 286 op: eq 287 value: true 288 - flag: --rotate-certificates 289 path: '{.rotateCertificates}' 290 set: false 291 bin_op: or 292 remediation: | 293 If using a Kubelet config file, edit the file to add the line rotateCertificates: true or 294 remove it altogether to use the default value. 295 If using command line arguments, edit the kubelet service file 296 $kubeletsvc on each worker node and 297 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 298 variable. 299 Based on your system, restart the kubelet service. For example: 300 systemctl daemon-reload 301 systemctl restart kubelet.service 302 scored: false 303 304 - id: 3.2.11 305 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" 306 audit: "/bin/ps -fC $kubeletbin" 307 audit_config: "/bin/cat $kubeletconf" 308 tests: 309 test_items: 310 - flag: RotateKubeletServerCertificate 311 path: '{.featureGates.RotateKubeletServerCertificate}' 312 set: true 313 compare: 314 op: eq 315 value: true 316 remediation: | 317 Edit the kubelet service file $kubeletsvc 318 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 319 --feature-gates=RotateKubeletServerCertificate=true 320 Based on your system, restart the kubelet service. For example: 321 systemctl daemon-reload 322 systemctl restart kubelet.service 323 scored: false 324 - id: 3.3 325 text: "Container Optimized OS" 326 checks: 327 - id: 3.3.1 328 text: "Prefer using a container-optimized OS when possible (Manual)" 329 remediation: "No remediation" 330 scored: false