github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.24/node.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.24" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 type: "skip" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 600 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 29 type: "skip" 30 tests: 31 test_items: 32 - flag: root:root 33 remediation: | 34 Run the below command (based on the file location on your system) on the each worker node. 35 For example, 36 chown root:root $kubeletsvc 37 scored: true 38 39 - id: 4.1.3 40 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 41 audit: 'stat -c %a /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig' 42 tests: 43 bin_op: or 44 test_items: 45 - flag: "permissions" 46 set: true 47 compare: 48 op: bitmask 49 value: "600" 50 remediation: | 51 Run the below command (based on the file location on your system) on the each worker node. 52 For example, 53 chmod 600 $proxykubeconfig 54 scored: false 55 56 - id: 4.1.4 57 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 58 audit: '/bin/sh -c ''if test -e /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig; fi'' ' 59 tests: 60 bin_op: or 61 test_items: 62 - flag: root:root 63 remediation: | 64 Run the below command (based on the file location on your system) on the each worker node. 65 For example, chown root:root $proxykubeconfig 66 scored: false 67 68 - id: 4.1.5 69 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 70 audit: 'stat -c %a /var/lib/rancher/k3s/agent/kubelet.kubeconfig ' 71 tests: 72 test_items: 73 - flag: "600" 74 compare: 75 op: eq 76 value: "600" 77 set: true 78 remediation: | 79 Run the below command (based on the file location on your system) on the each worker node. 80 For example, 81 chmod 600 $kubeletkubeconfig 82 scored: true 83 84 - id: 4.1.6 85 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 86 audit: 'stat -c %U:%G /var/lib/rancher/k3s/agent/kubelet.kubeconfig' 87 tests: 88 test_items: 89 - flag: "root:root" 90 compare: 91 op: eq 92 value: "root:root" 93 set: true 94 remediation: | 95 Run the below command (based on the file location on your system) on the each worker node. 96 For example, 97 chown root:root $kubeletkubeconfig 98 scored: true 99 100 - id: 4.1.7 101 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 102 audit: "stat -c %a /var/lib/rancher/k3s/server/tls/server-ca.crt" 103 tests: 104 test_items: 105 - flag: "permissions" 106 compare: 107 op: bitmask 108 value: "600" 109 set: true 110 remediation: | 111 Run the following command to modify the file permissions of the 112 --client-ca-file chmod 600 <filename> 113 scored: false 114 115 - id: 4.1.8 116 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 117 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls/client-ca.crt" 118 tests: 119 test_items: 120 - flag: root:root 121 compare: 122 op: eq 123 value: root:root 124 remediation: | 125 Run the following command to modify the ownership of the --client-ca-file. 126 chown root:root <filename> 127 scored: false 128 129 - id: 4.1.9 130 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)" 131 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 132 type: "skip" 133 tests: 134 test_items: 135 - flag: "permissions" 136 compare: 137 op: bitmask 138 value: "600" 139 remediation: | 140 Run the following command (using the config file location identified in the Audit step) 141 chmod 600 $kubeletconf 142 scored: true 143 144 - id: 4.1.10 145 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)" 146 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 147 type: "skip" 148 tests: 149 test_items: 150 - flag: root:root 151 remediation: | 152 Run the following command (using the config file location identified in the Audit step) 153 chown root:root $kubeletconf 154 scored: true 155 156 - id: 4.2 157 text: "Kubelet" 158 checks: 159 - id: 4.2.1 160 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 161 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' ' 162 tests: 163 test_items: 164 - flag: "--anonymous-auth" 165 path: '{.authentication.anonymous.enabled}' 166 compare: 167 op: eq 168 value: false 169 set: true 170 remediation: | 171 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 172 `false`. 173 If using executable arguments, edit the kubelet service file 174 $kubeletsvc on each worker node and 175 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 176 `--anonymous-auth=false` 177 Based on your system, restart the kubelet service. For example, 178 systemctl daemon-reload 179 systemctl restart kubelet.service 180 scored: true 181 182 - id: 4.2.2 183 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 184 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' ' 185 tests: 186 test_items: 187 - flag: --authorization-mode 188 path: '{.authorization.mode}' 189 compare: 190 op: nothave 191 value: AlwaysAllow 192 set: true 193 remediation: | 194 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 195 using executable arguments, edit the kubelet service file 196 $kubeletsvc on each worker node and 197 set the below parameter in KUBELET_AUTHZ_ARGS variable. 198 --authorization-mode=Webhook 199 Based on your system, restart the kubelet service. For example, 200 systemctl daemon-reload 201 systemctl restart kubelet.service 202 scored: true 203 204 - id: 4.2.3 205 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 206 audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' ' 207 tests: 208 test_items: 209 - flag: --client-ca-file 210 path: '{.authentication.x509.clientCAFile}' 211 set: true 212 remediation: | 213 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 214 the location of the client CA file. 215 If using command line arguments, edit the kubelet service file 216 $kubeletsvc on each worker node and 217 set the below parameter in KUBELET_AUTHZ_ARGS variable. 218 --client-ca-file=<path/to/client-ca-file> 219 Based on your system, restart the kubelet service. For example, 220 systemctl daemon-reload 221 systemctl restart kubelet.service 222 scored: true 223 224 - id: 4.2.4 225 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 226 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' " 227 tests: 228 bin_op: or 229 test_items: 230 - flag: "--read-only-port" 231 path: '{.readOnlyPort}' 232 compare: 233 op: eq 234 value: 0 235 - flag: "--read-only-port" 236 path: '{.readOnlyPort}' 237 set: false 238 remediation: | 239 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 240 If using command line arguments, edit the kubelet service file 241 $kubeletsvc on each worker node and 242 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 243 --read-only-port=0 244 Based on your system, restart the kubelet service. For example, 245 systemctl daemon-reload 246 systemctl restart kubelet.service 247 scored: false 248 249 - id: 4.2.5 250 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 251 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'" 252 tests: 253 test_items: 254 - flag: --streaming-connection-idle-timeout 255 path: '{.streamingConnectionIdleTimeout}' 256 compare: 257 op: noteq 258 value: 0 259 - flag: --streaming-connection-idle-timeout 260 path: '{.streamingConnectionIdleTimeout}' 261 set: false 262 bin_op: or 263 remediation: | 264 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 265 value other than 0. 266 If using command line arguments, edit the kubelet service file 267 $kubeletsvc on each worker node and 268 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 269 --streaming-connection-idle-timeout=5m 270 Based on your system, restart the kubelet service. For example, 271 systemctl daemon-reload 272 systemctl restart kubelet.service 273 scored: false 274 275 - id: 4.2.6 276 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 277 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'protect-kernel-defaults'" 278 type: "skip" 279 tests: 280 test_items: 281 - flag: --protect-kernel-defaults 282 path: '{.protectKernelDefaults}' 283 compare: 284 op: eq 285 value: true 286 set: true 287 remediation: | 288 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 289 If using command line arguments, edit the kubelet service file 290 $kubeletsvc on each worker node and 291 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 292 --protect-kernel-defaults=true 293 Based on your system, restart the kubelet service. For example: 294 systemctl daemon-reload 295 systemctl restart kubelet.service 296 scored: true 297 298 - id: 4.2.7 299 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 300 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'make-iptables-util-chains'" 301 type: "skip" 302 tests: 303 test_items: 304 - flag: --make-iptables-util-chains 305 path: '{.makeIPTablesUtilChains}' 306 compare: 307 op: eq 308 value: true 309 set: true 310 - flag: --make-iptables-util-chains 311 path: '{.makeIPTablesUtilChains}' 312 set: false 313 bin_op: or 314 remediation: | 315 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 316 If using command line arguments, edit the kubelet service file 317 $kubeletsvc on each worker node and 318 remove the --make-iptables-util-chains argument from the 319 KUBELET_SYSTEM_PODS_ARGS variable. 320 Based on your system, restart the kubelet service. For example: 321 systemctl daemon-reload 322 systemctl restart kubelet.service 323 scored: true 324 325 - id: 4.2.8 326 text: "Ensure that the --hostname-override argument is not set (Manual)" 327 # This is one of those properties that can only be set as a command line argument. 328 # To check if the property is set as expected, we need to parse the kubelet command 329 # instead reading the Kubelet Configuration file. 330 audit: "/bin/ps -fC $kubeletbin " 331 type: "skip" 332 tests: 333 test_items: 334 - flag: --hostname-override 335 set: false 336 remediation: | 337 Edit the kubelet service file $kubeletsvc 338 on each worker node and remove the --hostname-override argument from the 339 KUBELET_SYSTEM_PODS_ARGS variable. 340 Based on your system, restart the kubelet service. For example, 341 systemctl daemon-reload 342 systemctl restart kubelet.service 343 scored: false 344 345 - id: 4.2.9 346 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 347 audit: "/bin/ps -fC $kubeletbin" 348 audit_config: "/bin/cat $kubeletconf" 349 tests: 350 test_items: 351 - flag: --event-qps 352 path: '{.eventRecordQPS}' 353 compare: 354 op: eq 355 value: 0 356 remediation: | 357 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 358 If using command line arguments, edit the kubelet service file 359 $kubeletsvc on each worker node and 360 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 361 Based on your system, restart the kubelet service. For example, 362 systemctl daemon-reload 363 systemctl restart kubelet.service 364 scored: false 365 366 - id: 4.2.10 367 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 368 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1" 369 tests: 370 test_items: 371 - flag: --tls-cert-file 372 path: '/var/lib/rancher/k3s/agent/serving-kubelet.crt' 373 - flag: --tls-private-key-file 374 path: '/var/lib/rancher/k3s/agent/serving-kubelet.key' 375 remediation: | 376 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 377 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 378 to the location of the corresponding private key file. 379 If using command line arguments, edit the kubelet service file 380 $kubeletsvc on each worker node and 381 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 382 --tls-cert-file=<path/to/tls-certificate-file> 383 --tls-private-key-file=<path/to/tls-key-file> 384 Based on your system, restart the kubelet service. For example, 385 systemctl daemon-reload 386 systemctl restart kubelet.service 387 scored: false 388 389 - id: 4.2.11 390 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 391 audit: "/bin/ps -fC $kubeletbin" 392 audit_config: "/bin/cat $kubeletconf" 393 tests: 394 test_items: 395 - flag: --rotate-certificates 396 path: '{.rotateCertificates}' 397 compare: 398 op: eq 399 value: true 400 - flag: --rotate-certificates 401 path: '{.rotateCertificates}' 402 set: false 403 bin_op: or 404 remediation: | 405 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 406 remove it altogether to use the default value. 407 If using command line arguments, edit the kubelet service file 408 $kubeletsvc on each worker node and 409 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 410 variable. 411 Based on your system, restart the kubelet service. For example, 412 systemctl daemon-reload 413 systemctl restart kubelet.service 414 scored: true 415 416 - id: 4.2.12 417 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 418 audit: "/bin/ps -fC $kubeletbin" 419 audit_config: "/bin/cat $kubeletconf" 420 tests: 421 bin_op: or 422 test_items: 423 - flag: RotateKubeletServerCertificate 424 path: '{.featureGates.RotateKubeletServerCertificate}' 425 compare: 426 op: nothave 427 value: false 428 - flag: RotateKubeletServerCertificate 429 path: '{.featureGates.RotateKubeletServerCertificate}' 430 set: false 431 remediation: | 432 Edit the kubelet service file $kubeletsvc 433 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 434 --feature-gates=RotateKubeletServerCertificate=true 435 Based on your system, restart the kubelet service. For example: 436 systemctl daemon-reload 437 systemctl restart kubelet.service 438 scored: false 439 440 - id: 4.2.13 441 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 442 audit: "/bin/ps -fC $kubeletbin" 443 audit_config: "/bin/cat $kubeletconf" 444 tests: 445 test_items: 446 - flag: --tls-cipher-suites 447 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 448 compare: 449 op: valid_elements 450 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 451 remediation: | 452 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 453 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 454 or to a subset of these values. 455 If using executable arguments, edit the kubelet service file 456 $kubeletsvc on each worker node and 457 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 458 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 459 Based on your system, restart the kubelet service. For example: 460 systemctl daemon-reload 461 systemctl restart kubelet.service 462 scored: false