github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/eks-stig-kubernetes-v1r6/node.yaml (about) 1 --- 2 controls: 3 version: "eks-stig-kubernetes-v1r6" 4 id: 3 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 3.1 9 text: "DISA Category Code I" 10 checks: 11 - id: V-242387 # CIS 3.2.4 12 text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)" 13 audit: "/bin/ps -fC $kubeletbin" 14 audit_config: "/bin/cat $kubeletconf" 15 tests: 16 test_items: 17 - flag: "--read-only-port" 18 path: '{.readOnlyPort}' 19 set: true 20 compare: 21 op: eq 22 value: 0 23 remediation: | 24 If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0. 25 If using command line arguments, edit the kubelet service file 26 $kubeletsvc on each worker node and 27 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 28 --read-only-port=0 29 Based on your system, restart the kubelet service. For example: 30 systemctl daemon-reload 31 systemctl restart kubelet.service 32 scored: false 33 - id: V-242391 # CIS 3.2.1 34 text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)" 35 audit: "/bin/ps -fC $kubeletbin" 36 audit_config: "/bin/cat $kubeletconf" 37 tests: 38 test_items: 39 - flag: "--anonymous-auth" 40 path: '{.authentication.anonymous.enabled}' 41 set: true 42 compare: 43 op: eq 44 value: false 45 remediation: | 46 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to 47 false. 48 If using executable arguments, edit the kubelet service file 49 $kubeletsvc on each worker node and 50 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 51 --anonymous-auth=false 52 Based on your system, restart the kubelet service. For example: 53 systemctl daemon-reload 54 systemctl restart kubelet.service 55 scored: true 56 - id: V-242392 # CIS 3.2.2 57 text: "The Kubernetes kubelet must enable explicit authorization (Automated)" 58 audit: "/bin/ps -fC $kubeletbin" 59 audit_config: "/bin/cat $kubeletconf" 60 tests: 61 test_items: 62 - flag: --authorization-mode 63 path: '{.authorization.mode}' 64 set: true 65 compare: 66 op: nothave 67 value: AlwaysAllow 68 remediation: | 69 If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If 70 using executable arguments, edit the kubelet service file 71 $kubeletsvc on each worker node and 72 set the below parameter in KUBELET_AUTHZ_ARGS variable. 73 --authorization-mode=Webhook 74 Based on your system, restart the kubelet service. For example: 75 systemctl daemon-reload 76 systemctl restart kubelet.service 77 scored: true 78 - id: V-242397 79 text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)" 80 audit: "/bin/ps -fC $kubeletbin" 81 audit_config: "/bin/cat $kubeletconf" 82 tests: 83 test_items: 84 - path: '{.staticPodPath}' 85 set: false 86 remediation: | 87 Edit $kubeletconf on each node to to remove the staticPodPath 88 Based on your system, restart the kubelet service. For example, 89 systemctl daemon-reload 90 systemctl restart kubelet.service 91 scored: true 92 - id: V-242415 93 text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)" 94 type: "manual" 95 remediation: | 96 Run the following command: 97 kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A 98 If any of the values returned reference environment variables 99 rewrite application code to read secrets from mounted secret files, rather than 100 from environment variables. 101 scored: false 102 - id: V-242434 # CIS 3.2.6 103 text: "Kubernetes Kubelet must enable kernel protection (Automated)" 104 audit: "/bin/ps -fC $kubeletbin" 105 audit_config: "/bin/cat $kubeletconf" 106 tests: 107 test_items: 108 - flag: --protect-kernel-defaults 109 path: '{.protectKernelDefaults}' 110 set: true 111 compare: 112 op: eq 113 value: true 114 remediation: | 115 If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true. 116 If using command line arguments, edit the kubelet service file 117 $kubeletsvc on each worker node and 118 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 119 --protect-kernel-defaults=true 120 Based on your system, restart the kubelet service. For example: 121 systemctl daemon-reload 122 systemctl restart kubelet.service 123 scored: true 124 - id: V-242435 125 text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)" 126 audit: "/bin/ps -fC $kubeletbin" 127 audit_config: "/bin/cat $kubeletconf" 128 tests: 129 test_items: 130 - flag: --authorization-mode 131 path: '{.authorization.mode}' 132 set: true 133 compare: 134 op: nothave 135 value: AlwaysAllow 136 remediation: | 137 If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If 138 using executable arguments, edit the kubelet service file 139 $kubeletsvc on each worker node and 140 set the below parameter in KUBELET_AUTHZ_ARGS variable. 141 --authorization-mode=Webhook 142 Based on your system, restart the kubelet service. For example: 143 systemctl daemon-reload 144 systemctl restart kubelet.service 145 scored: true 146 - id: V-242393 147 text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)" 148 audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' ' 149 tests: 150 test_items: 151 - flag: ActiveState 152 compare: 153 op: eq 154 value: inactive 155 remediation: | 156 To stop the sshd service, run the command: systemctl stop sshd 157 scored: true 158 - id: V-242394 159 text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)" 160 audit: "/bin/sh -c 'systemctl is-enabled sshd.service'" 161 tests: 162 test_items: 163 - flag: "disabled" 164 remediation: | 165 To disable the sshd service, run the command: 166 chkconfig sshd off 167 scored: true 168 - id: V-242395 169 text: "Kubernetes dashboard must not be enabled. (Manual)" 170 type: "manual" 171 remediation: | 172 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard 173 If any resources are returned, this is a finding. 174 Fix Text: Delete the Kubernetes dashboard deployment with the following command: 175 kubectl delete deployment kubernetes-dashboard --namespace=kube-system 176 scored: false 177 - id: V-242398 178 text: "Kubernetes DynamicAuditing must not be enabled. (Automated)" 179 audit: "/bin/ps -fC $kubeletbin" 180 audit_config: "/bin/cat $kubeletconf" 181 tests: 182 bin_op: or 183 test_items: 184 - flag: "--feature-gates" 185 compare: 186 op: nothave 187 value: "DynamicAuditing=true" 188 set: true 189 - flag: "--feature-gates" 190 set: false 191 remediation: | 192 Edit any manifest files or kubelet config files that contain the feature-gates 193 setting with DynamicAuditing set to "true". 194 Set the flag to "false" or remove the "DynamicAuditing" setting 195 completely. Restart the kubelet service if the kubelet config file 196 if the kubelet config file is changed. 197 scored: true 198 - id: V-242399 199 text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)" 200 audit: "/bin/ps -fC $kubeletbin" 201 audit_config: "/bin/cat $kubeletconf" 202 tests: 203 bin_op: or 204 test_items: 205 - flag: "--feature-gates" 206 compare: 207 op: nothave 208 value: "DynamicKubeletConfig=true" 209 set: true 210 - flag: "--feature-gates" 211 set: false 212 remediation: | 213 Edit any manifest files or $kubeletconf that contain the feature-gates 214 setting with DynamicKubeletConfig set to "true". 215 Set the flag to "false" or remove the "DynamicKubeletConfig" setting 216 completely. Restart the kubelet service if the kubelet config file 217 if the kubelet config file is changed. 218 scored: true 219 - id: V-242404 # CIS 3.2.8 220 text: "Kubernetes Kubelet must deny hostname override (Automated)" 221 # This is one of those properties that can only be set as a command line argument. 222 # To check if the property is set as expected, we need to parse the kubelet command 223 # instead reading the Kubelet Configuration file. 224 audit: "/bin/ps -fC $kubeletbin " 225 tests: 226 test_items: 227 - flag: --hostname-override 228 set: false 229 remediation: | 230 Edit the kubelet service file $kubeletbin 231 on each worker node and remove the --hostname-override argument from the 232 KUBELET_SYSTEM_PODS_ARGS variable. 233 Based on your system, restart the kubelet service. For example: 234 systemctl daemon-reload 235 systemctl restart kubelet.service 236 scored: true 237 - id: V-242406 238 text: "The Kubernetes kubelet configuration file must be owned by root (Automated)" 239 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 240 tests: 241 test_items: 242 - flag: root:root 243 remediation: | 244 Run the below command (based on the file location on your system) on the each worker node. 245 For example, 246 chown root:root $kubeletkubeconfig 247 scored: true 248 - id: V-242407 249 text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)" 250 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 251 tests: 252 test_items: 253 - flag: "permissions" 254 compare: 255 op: bitmask 256 value: "644" 257 remediation: | 258 Run the following command (using the config file location identified in the Audit step) 259 chmod 644 $kubeletconf 260 scored: true 261 - id: V-242414 262 text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)" 263 type: "manual" 264 remediation: | 265 For any of the pods that are using ports below 1024, 266 reconfigure the pod to use a service to map a host non-privileged 267 port to the pod port or reconfigure the image to use non-privileged ports. 268 scored: false 269 - id: V-242442 270 text: "Kubernetes must remove old components after updated versions have been installed. (Manual)" 271 type: "manual" 272 remediation: | 273 To view all pods and the images used to create the pods, from the Master node, run the following command: 274 kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ 275 tr -s '[[:space:]]' '\n' | \ 276 sort | \ 277 uniq -c 278 Review the images used for pods running within Kubernetes. 279 Remove any old pods that are using older images. 280 scored: false 281 - id: V-242396 282 text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)" 283 type: "manual" 284 remediation: | 285 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. 286 Upgrade the Master and Worker nodes to the latest version of kubectl. 287 scored: false