github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml (about) 1 --- 2 controls: 3 version: "eks-stig-kubernetes-v1r6" 4 id: 5 5 text: "Managed Services" 6 type: "managedservices" 7 groups: 8 - id: 5.1 9 text: "DISA Category Code I" 10 checks: 11 - id: V-242386 12 text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane" 13 type: "skip" 14 15 - id: V-242388 16 text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane" 17 type: "skip" 18 19 - id: V-242436 20 text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)" 21 type: "manual" 22 remediation: | 23 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook 24 Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html 25 scored: false 26 27 - id: V-245542 28 text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane" 29 type: "skip" 30 31 - id: 5.2 32 text: "DISA Category Code II" 33 checks: 34 - id: V-242376 35 text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane" 36 type: "skip" 37 38 - id: V-242377 39 text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane" 40 type: "skip" 41 42 - id: V-242378 43 text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane" 44 type: "skip" 45 46 - id: V-242379 47 text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane" 48 type: "skip" 49 50 - id: V-242380 51 text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane" 52 type: "skip" 53 54 - id: V-242382 55 text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane" 56 type: "skip" 57 58 - id: V-242384 59 text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane" 60 type: "skip" 61 62 - id: V-242385 63 text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane" 64 type: "skip" 65 66 - id: V-242389 67 text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane" 68 type: "skip" 69 70 - id: V-242401 71 text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane" 72 type: "skip" 73 74 - id: V-242402 75 text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane" 76 type: "skip" 77 78 - id: V-242403 79 text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane" 80 type: "skip" 81 82 - id: V-242405 83 text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane" 84 type: "skip" 85 86 - id: V-242408 87 text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane" 88 type: "skip" 89 90 - id: V-242409 91 text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane" 92 type: "skip" 93 94 - id: V-242410 95 text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" 96 type: "skip" 97 98 - id: V-242411 99 text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" 100 type: "skip" 101 102 - id: V-242412 103 text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" 104 type: "skip" 105 106 - id: V-242413 107 text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" 108 type: "skip" 109 110 - id: V-242418 111 text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane" 112 type: "skip" 113 114 - id: V-242419 115 text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane" 116 type: "skip" 117 118 - id: V-242420 119 text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane" 120 type: "skip" 121 122 - id: V-242421 123 text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane" 124 type: "skip" 125 126 - id: V-242422 127 text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane" 128 type: "skip" 129 130 - id: V-242423 131 text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" 132 type: "skip" 133 134 - id: V-242424 135 text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" 136 type: "skip" 137 138 - id: V-242425 139 text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane" 140 type: "skip" 141 142 - id: V-242426 143 text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" 144 type: "skip" 145 146 - id: V-242427 147 text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane" 148 type: "skip" 149 150 - id: V-242428 151 text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane" 152 type: "skip" 153 154 - id: V-242429 155 text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane" 156 type: "skip" 157 158 - id: V-242430 159 text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane" 160 type: "skip" 161 162 - id: V-242431 163 text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane" 164 type: "skip" 165 166 - id: V-242432 167 text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane" 168 type: "skip" 169 170 - id: V-242433 171 text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane" 172 type: "skip" 173 174 - id: V-242438 175 text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane" 176 type: "skip" 177 178 - id: V-242444 179 text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane" 180 type: "skip" 181 182 - id: V-242445 183 text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane" 184 type: "skip" 185 186 - id: V-242446 187 text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane" 188 type: "skip" 189 190 - id: V-242447 191 text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 192 type: "skip" 193 194 - id: V-242448 195 text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane" 196 type: "skip" 197 198 - id: V-242449 199 text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 200 type: "skip" 201 202 - id: V-242450 203 text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane" 204 type: "skip" 205 206 - id: V-242451 207 text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane" 208 type: "skip" 209 210 - id: V-242452 211 text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 212 type: "skip" 213 214 - id: V-242453 215 text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane" 216 type: "skip" 217 218 - id: V-242454 219 text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane" 220 type: "skip" 221 222 - id: V-242455 223 text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 224 type: "skip" 225 226 - id: V-242456 227 text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 228 type: "skip" 229 230 - id: V-242457 231 text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane" 232 type: "skip" 233 234 - id: V-242458 235 text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 236 type: "skip" 237 238 - id: V-242459 239 text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 240 type: "skip" 241 242 - id: V-242460 243 text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 244 type: "skip" 245 246 - id: V-242466 247 text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" 248 type: "skip" 249 250 - id: V-242467 251 text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane" 252 type: "skip" 253 254 - id: V-242468 255 text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane" 256 type: "skip" 257 258 - id: V-245541 259 text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane" 260 type: "skip" 261 262 - id: V-245543 263 text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane" 264 type: "skip" 265 266 - id: V-245544 267 text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane" 268 type: "skip"