github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.23/node.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.23" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 type: "skip" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "644" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 644 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 29 type: "skip" 30 tests: 31 test_items: 32 - flag: root:root 33 remediation: | 34 Run the below command (based on the file location on your system) on the each worker node. 35 For example, 36 chown root:root $kubeletsvc 37 scored: true 38 39 - id: 4.1.3 40 text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)" 41 audit: 'stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' 42 tests: 43 bin_op: or 44 test_items: 45 - flag: "permissions" 46 set: true 47 compare: 48 op: bitmask 49 value: "644" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 644 $proxykubeconfig 54 scored: false 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: false 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 70 audit: 'stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig ' 71 tests: 72 test_items: 73 - flag: "644" 74 compare: 75 op: eq 76 value: "644" 77 set: true 78 remediation: | 79 Run the below command (based on the file location on your system) on the each worker node. 80 For example, 81 chmod 644 $kubeletkubeconfig 82 scored: true 83 84 - id: 4.1.6 85 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 86 audit: 'stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig' 87 tests: 88 test_items: 89 - flag: "root:root" 90 compare: 91 op: eq 92 value: "root:root" 93 set: true 94 remediation: | 95 Run the below command (based on the file location on your system) on the each worker node. 96 For example, 97 chown root:root $kubeletkubeconfig 98 scored: true 99 100 - id: 4.1.7 101 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" 102 audit: "stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt" 103 tests: 104 test_items: 105 - flag: "644" 106 compare: 107 op: eq 108 value: "644" 109 set: true 110 - flag: "640" 111 compare: 112 op: eq 113 value: "640" 114 set: true 115 - flag: "600" 116 compare: 117 op: eq 118 value: "600" 119 set: true 120 - flag: "444" 121 compare: 122 op: eq 123 value: "444" 124 set: true 125 - flag: "440" 126 compare: 127 op: eq 128 value: "440" 129 set: true 130 - flag: "400" 131 compare: 132 op: eq 133 value: "400" 134 set: true 135 - flag: "000" 136 compare: 137 op: eq 138 value: "000" 139 set: true 140 bin_op: or 141 remediation: | 142 Run the following command to modify the file permissions of the 143 --client-ca-file chmod 644 <filename> 144 scored: true 145 146 - id: 4.1.8 147 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 148 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt" 149 tests: 150 test_items: 151 - flag: root:root 152 compare: 153 op: eq 154 value: root:root 155 remediation: | 156 Run the following command to modify the ownership of the --client-ca-file. 157 chown root:root <filename> 158 scored: false 159 160 - id: 4.1.9 161 text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)" 162 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 163 type: "skip" 164 tests: 165 test_items: 166 - flag: "permissions" 167 compare: 168 op: bitmask 169 value: "644" 170 remediation: | 171 Run the following command (using the config file location identified in the Audit step) 172 chmod 644 $kubeletconf 173 scored: true 174 175 - id: 4.1.10 176 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" 177 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 178 type: "skip" 179 tests: 180 test_items: 181 - flag: root:root 182 remediation: | 183 Run the following command (using the config file location identified in the Audit step) 184 chown root:root $kubeletconf 185 scored: true 186 187 - id: 4.2 188 text: "Kubelet" 189 checks: 190 - id: 4.2.1 191 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 192 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' ' 193 tests: 194 test_items: 195 - flag: "--anonymous-auth" 196 path: '{.authentication.anonymous.enabled}' 197 compare: 198 op: eq 199 value: false 200 set: true 201 remediation: | 202 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 203 `false`. 204 If using executable arguments, edit the kubelet service file 205 $kubeletsvc on each worker node and 206 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 207 `--anonymous-auth=false` 208 Based on your system, restart the kubelet service. For example, 209 systemctl daemon-reload 210 systemctl restart kubelet.service 211 scored: true 212 213 - id: 4.2.2 214 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 215 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' ' 216 tests: 217 test_items: 218 - flag: --authorization-mode 219 path: '{.authorization.mode}' 220 compare: 221 op: nothave 222 value: AlwaysAllow 223 set: true 224 remediation: | 225 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 226 using executable arguments, edit the kubelet service file 227 $kubeletsvc on each worker node and 228 set the below parameter in KUBELET_AUTHZ_ARGS variable. 229 --authorization-mode=Webhook 230 Based on your system, restart the kubelet service. For example, 231 systemctl daemon-reload 232 systemctl restart kubelet.service 233 scored: true 234 235 - id: 4.2.3 236 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 237 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' ' 238 tests: 239 test_items: 240 - flag: --client-ca-file 241 path: '{.authentication.x509.clientCAFile}' 242 set: true 243 remediation: | 244 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 245 the location of the client CA file. 246 If using command line arguments, edit the kubelet service file 247 $kubeletsvc on each worker node and 248 set the below parameter in KUBELET_AUTHZ_ARGS variable. 249 --client-ca-file=<path/to/client-ca-file> 250 Based on your system, restart the kubelet service. For example, 251 systemctl daemon-reload 252 systemctl restart kubelet.service 253 scored: true 254 255 - id: 4.2.4 256 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" 257 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' " 258 tests: 259 bin_op: or 260 test_items: 261 - flag: "--read-only-port" 262 path: '{.readOnlyPort}' 263 compare: 264 op: eq 265 value: 0 266 - flag: "--read-only-port" 267 path: '{.readOnlyPort}' 268 set: false 269 remediation: | 270 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 271 If using command line arguments, edit the kubelet service file 272 $kubeletsvc on each worker node and 273 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 274 --read-only-port=0 275 Based on your system, restart the kubelet service. For example, 276 systemctl daemon-reload 277 systemctl restart kubelet.service 278 scored: false 279 280 - id: 4.2.5 281 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 282 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'" 283 tests: 284 test_items: 285 - flag: --streaming-connection-idle-timeout 286 path: '{.streamingConnectionIdleTimeout}' 287 compare: 288 op: noteq 289 value: 0 290 - flag: --streaming-connection-idle-timeout 291 path: '{.streamingConnectionIdleTimeout}' 292 set: false 293 bin_op: or 294 remediation: | 295 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 296 value other than 0. 297 If using command line arguments, edit the kubelet service file 298 $kubeletsvc on each worker node and 299 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 300 --streaming-connection-idle-timeout=5m 301 Based on your system, restart the kubelet service. For example, 302 systemctl daemon-reload 303 systemctl restart kubelet.service 304 scored: false 305 306 - id: 4.2.6 307 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 308 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'protect-kernel-defaults'" 309 type: "skip" 310 tests: 311 test_items: 312 - flag: --protect-kernel-defaults 313 path: '{.protectKernelDefaults}' 314 compare: 315 op: eq 316 value: true 317 set: true 318 remediation: | 319 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 320 If using command line arguments, edit the kubelet service file 321 $kubeletsvc on each worker node and 322 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 323 --protect-kernel-defaults=true 324 Based on your system, restart the kubelet service. For example: 325 systemctl daemon-reload 326 systemctl restart kubelet.service 327 scored: true 328 329 - id: 4.2.7 330 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 331 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'make-iptables-util-chains'" 332 type: "skip" 333 tests: 334 test_items: 335 - flag: --make-iptables-util-chains 336 path: '{.makeIPTablesUtilChains}' 337 compare: 338 op: eq 339 value: true 340 set: true 341 - flag: --make-iptables-util-chains 342 path: '{.makeIPTablesUtilChains}' 343 set: false 344 bin_op: or 345 remediation: | 346 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 347 If using command line arguments, edit the kubelet service file 348 $kubeletsvc on each worker node and 349 remove the --make-iptables-util-chains argument from the 350 KUBELET_SYSTEM_PODS_ARGS variable. 351 Based on your system, restart the kubelet service. For example: 352 systemctl daemon-reload 353 systemctl restart kubelet.service 354 scored: true 355 356 - id: 4.2.8 357 text: "Ensure that the --hostname-override argument is not set (Manual)" 358 # This is one of those properties that can only be set as a command line argument. 359 # To check if the property is set as expected, we need to parse the kubelet command 360 # instead reading the Kubelet Configuration file. 361 audit: "/bin/ps -fC $kubeletbin " 362 type: "skip" 363 tests: 364 test_items: 365 - flag: --hostname-override 366 set: false 367 remediation: | 368 Edit the kubelet service file $kubeletsvc 369 on each worker node and remove the --hostname-override argument from the 370 KUBELET_SYSTEM_PODS_ARGS variable. 371 Based on your system, restart the kubelet service. For example, 372 systemctl daemon-reload 373 systemctl restart kubelet.service 374 scored: false 375 376 - id: 4.2.9 377 text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 378 audit: "/bin/ps -fC $kubeletbin" 379 type: "manual" 380 tests: 381 test_items: 382 - flag: --event-qps 383 path: '{.eventRecordQPS}' 384 compare: 385 op: eq 386 value: 0 387 remediation: | 388 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 389 If using command line arguments, edit the kubelet service file 390 $kubeletsvc on each worker node and 391 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 392 Based on your system, restart the kubelet service. For example, 393 systemctl daemon-reload 394 systemctl restart kubelet.service 395 scored: false 396 397 - id: 4.2.10 398 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 399 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1" 400 tests: 401 test_items: 402 - flag: --tls-cert-file 403 path: '/var/lib/rancher/k3s/agent/serving-kubelet.crt' 404 - flag: --tls-private-key-file 405 path: '/var/lib/rancher/k3s/agent/serving-kubelet.key' 406 remediation: | 407 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 408 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 409 to the location of the corresponding private key file. 410 If using command line arguments, edit the kubelet service file 411 $kubeletsvc on each worker node and 412 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 413 --tls-cert-file=<path/to/tls-certificate-file> 414 --tls-private-key-file=<path/to/tls-key-file> 415 Based on your system, restart the kubelet service. For example, 416 systemctl daemon-reload 417 systemctl restart kubelet.service 418 scored: false 419 420 - id: 4.2.11 421 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 422 audit: "/bin/ps -fC $kubeletbin" 423 type: "skip" 424 tests: 425 test_items: 426 - flag: --rotate-certificates 427 path: '{.rotateCertificates}' 428 compare: 429 op: eq 430 value: true 431 - flag: --rotate-certificates 432 path: '{.rotateCertificates}' 433 set: false 434 bin_op: or 435 remediation: | 436 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 437 remove it altogether to use the default value. 438 If using command line arguments, edit the kubelet service file 439 $kubeletsvc on each worker node and 440 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 441 variable. 442 Based on your system, restart the kubelet service. For example, 443 systemctl daemon-reload 444 systemctl restart kubelet.service 445 scored: true 446 447 - id: 4.2.12 448 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 449 audit: "/bin/ps -fC $kubeletbin" 450 type: "skip" 451 tests: 452 bin_op: or 453 test_items: 454 - flag: RotateKubeletServerCertificate 455 path: '{.featureGates.RotateKubeletServerCertificate}' 456 compare: 457 op: nothave 458 value: false 459 - flag: RotateKubeletServerCertificate 460 path: '{.featureGates.RotateKubeletServerCertificate}' 461 set: false 462 remediation: | 463 Edit the kubelet service file $kubeletsvc 464 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 465 --feature-gates=RotateKubeletServerCertificate=true 466 Based on your system, restart the kubelet service. For example: 467 systemctl daemon-reload 468 systemctl restart kubelet.service 469 scored: false 470 471 - id: 4.2.13 472 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 473 audit: "/bin/ps -fC $kubeletbin" 474 type: "manual" 475 tests: 476 test_items: 477 - flag: --tls-cipher-suites 478 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 479 compare: 480 op: valid_elements 481 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 482 remediation: | 483 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 484 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 485 or to a subset of these values. 486 If using executable arguments, edit the kubelet service file 487 $kubeletsvc on each worker node and 488 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 489 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 490 Based on your system, restart the kubelet service. For example: 491 systemctl daemon-reload 492 systemctl restart kubelet.service 493 scored: false