github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml (about) 1 --- 2 controls: 3 version: "eks-stig-kubernetes-v1r6" 4 id: 2 5 text: "Control Plane Configuration" 6 type: "controlplane" 7 groups: 8 - id: 2.1 9 text: "DISA Category Code I" 10 checks: 11 - id: V-242390 12 text: "The Kubernetes API server must have anonymous authentication disabled (Automated)" 13 audit: "/bin/ps -fC $kubeletbin" 14 audit_config: "/bin/cat $kubeletconf" 15 tests: 16 test_items: 17 - flag: "--anonymous-auth" 18 path: '{.authentication.anonymous.enabled}' 19 set: true 20 compare: 21 op: eq 22 value: false 23 remediation: | 24 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to 25 false. 26 If using executable arguments, edit the kubelet service file 27 $kubeletsvc on each worker node and 28 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 29 --anonymous-auth=false 30 Based on your system, restart the kubelet service. For example: 31 systemctl daemon-reload 32 systemctl restart kubelet.service 33 scored: true 34 - id: V-242400 35 text: "The Kubernetes API server must have Alpha APIs disabled (Automated)" 36 audit: "/bin/ps -fC $kubeletbin" 37 audit_config: "/bin/cat $kubeletconf" 38 tests: 39 bin_op: or 40 test_items: 41 - flag: "--feature-gates" 42 compare: 43 op: nothave 44 value: "AllAlpha=true" 45 set: true 46 - flag: "--feature-gates" 47 set: false 48 remediation: | 49 Edit any manifest files or $kubeletconf that contain the feature-gates 50 setting with AllAlpha set to "true". 51 Set the flag to "false" or remove the "AllAlpha" setting 52 completely. Restart the kubelet service if the kubelet config file 53 if the kubelet config file is changed. 54 scored: true 55 - id: 2.2 56 text: "DISA Category Code II" 57 checks: 58 - id: V-242381 59 text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)" 60 type: "manual" 61 remediation: | 62 Create explicit service accounts wherever a Kubernetes workload requires specific access 63 to the Kubernetes API server. 64 Modify the configuration of each default service account to include this value 65 automountServiceAccountToken: false 66 scored: false 67 - id: V-242402 68 text: "The Kubernetes API Server must have an audit log path set (Manual)" 69 type: "manual" 70 remediation: | 71 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 72 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 73 scored: false 74 - id: V-242403 75 text: "Kubernetes API Server must generate audit records (Manual)" 76 type: "manual" 77 remediation: | 78 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 79 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 80 scored: false 81 - id: V-242461 82 text: "Kubernetes API Server audit logs must be enabled. (Manual)" 83 type: "manual" 84 remediation: | 85 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 86 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 87 scored: false 88 - id: V-242462 89 text: "The Kubernetes API Server must be set to audit log max size. (Manual)" 90 type: "manual" 91 remediation: | 92 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 93 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 94 scored: false 95 - id: V-242463 96 text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)" 97 type: "manual" 98 remediation: | 99 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 100 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 101 scored: false 102 - id: V-242464 103 text: "The Kubernetes API Server audit log retention must be set. (Manual)" 104 type: "manual" 105 remediation: | 106 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 107 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 108 scored: false 109 - id: V-242465 110 text: "The Kubernetes API Server audit log path must be set. (Manual)" 111 type: "manual" 112 remediation: | 113 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 114 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 115 scored: false 116 - id: 2.2 117 text: "DISA Category Code II" 118 checks: 119 - id: V-242443 120 text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)" 121 type: "manual" 122 remediation: | 123 Upgrade Kubernetes to a supported version. 124 Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html