github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/k3s-cis-1.7/master.yaml (about) 1 --- 2 controls: 3 version: "k3s-cis-1.7" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)" 13 type: "skip" 14 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the 23 control plane node. 24 For example, chmod 600 $apiserverconf 25 Not Applicable. 26 scored: true 27 28 - id: 1.1.2 29 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 30 type: "skip" 31 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 32 tests: 33 test_items: 34 - flag: "root:root" 35 remediation: | 36 Run the below command (based on the file location on your system) on the control plane node. 37 For example, chown root:root $apiserverconf 38 Not Applicable. 39 scored: true 40 41 - id: 1.1.3 42 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 43 type: "skip" 44 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 45 tests: 46 test_items: 47 - flag: "permissions" 48 compare: 49 op: bitmask 50 value: "600" 51 remediation: | 52 Run the below command (based on the file location on your system) on the control plane node. 53 For example, chmod 600 $controllermanagerconf 54 Not Applicable. 55 scored: true 56 57 - id: 1.1.4 58 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 59 type: "skip" 60 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 61 tests: 62 test_items: 63 - flag: "root:root" 64 remediation: | 65 Run the below command (based on the file location on your system) on the control plane node. 66 For example, chown root:root $controllermanagerconf 67 Not Applicable. 68 scored: true 69 70 - id: 1.1.5 71 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 72 type: "skip" 73 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 74 tests: 75 test_items: 76 - flag: "permissions" 77 compare: 78 op: bitmask 79 value: "600" 80 remediation: | 81 Run the below command (based on the file location on your system) on the control plane node. 82 For example, chmod 600 $schedulerconf 83 Not Applicable. 84 scored: true 85 86 - id: 1.1.6 87 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 88 type: "skip" 89 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 90 tests: 91 test_items: 92 - flag: "root:root" 93 remediation: | 94 Run the below command (based on the file location on your system) on the control plane node. 95 For example, chown root:root $schedulerconf 96 Not Applicable. 97 scored: true 98 99 - id: 1.1.7 100 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" 101 type: "skip" 102 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" 103 use_multiple_values: true 104 tests: 105 test_items: 106 - flag: "permissions" 107 compare: 108 op: bitmask 109 value: "600" 110 remediation: | 111 Run the below command (based on the file location on your system) on the control plane node. 112 For example, 113 chmod 600 $etcdconf 114 Not Applicable. 115 scored: true 116 117 - id: 1.1.8 118 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 119 type: "skip" 120 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi'" 121 use_multiple_values: true 122 tests: 123 test_items: 124 - flag: "root:root" 125 remediation: | 126 Run the below command (based on the file location on your system) on the control plane node. 127 For example, 128 chown root:root $etcdconf 129 Not Applicable. 130 scored: true 131 132 - id: 1.1.9 133 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" 134 type: "skip" 135 audit: | 136 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 137 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 138 use_multiple_values: true 139 tests: 140 test_items: 141 - flag: "permissions" 142 compare: 143 op: bitmask 144 value: "600" 145 remediation: | 146 Run the below command (based on the file location on your system) on the control plane node. 147 For example, chmod 600 <path/to/cni/files> 148 Not Applicable. 149 scored: false 150 151 - id: 1.1.10 152 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 153 type: skip 154 audit: | 155 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 156 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 157 use_multiple_values: true 158 tests: 159 test_items: 160 - flag: "root:root" 161 remediation: | 162 Run the below command (based on the file location on your system) on the control plane node. 163 For example, 164 chown root:root <path/to/cni/files> 165 Not Applicable. 166 scored: false 167 168 - id: 1.1.11 169 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 170 audit: "check_for_k3s_etcd.sh 1.1.11" 171 tests: 172 test_items: 173 - flag: "700" 174 compare: 175 op: eq 176 value: "700" 177 set: true 178 remediation: | 179 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 180 from the command 'ps -ef | grep etcd'. 181 Run the below command (based on the etcd data directory found above). For example, 182 chmod 700 /var/lib/etcd 183 scored: true 184 185 - id: 1.1.12 186 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 187 audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G 188 type: "skip" 189 tests: 190 test_items: 191 - flag: "etcd:etcd" 192 remediation: | 193 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 194 from the command 'ps -ef | grep etcd'. 195 Run the below command (based on the etcd data directory found above). 196 For example, chown etcd:etcd /var/lib/etcd 197 Not Applicable. 198 scored: true 199 200 - id: 1.1.13 201 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 202 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig'" 203 type: "skip" 204 tests: 205 test_items: 206 - flag: "permissions" 207 compare: 208 op: bitmask 209 value: "600" 210 remediation: | 211 Run the below command (based on the file location on your system) on the control plane node. 212 For example, chmod 600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig 213 scored: true 214 215 - id: 1.1.14 216 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 217 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'" 218 tests: 219 test_items: 220 - flag: "root:root" 221 compare: 222 op: eq 223 value: "root:root" 224 set: true 225 remediation: | 226 Run the below command (based on the file location on your system) on the control plane node. 227 For example, chown root:root /etc/kubernetes/admin.conf 228 scored: true 229 230 - id: 1.1.15 231 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 232 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'" 233 tests: 234 test_items: 235 - flag: "permissions" 236 compare: 237 op: bitmask 238 value: "600" 239 remediation: | 240 Run the below command (based on the file location on your system) on the control plane node. 241 For example, 242 chmod 600 $schedulerkubeconfig 243 scored: true 244 245 - id: 1.1.16 246 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 247 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig; fi'" 248 tests: 249 test_items: 250 - flag: "root:root" 251 remediation: | 252 Run the below command (based on the file location on your system) on the control plane node. 253 For example, 254 chown root:root $schedulerkubeconfig 255 scored: true 256 257 - id: 1.1.17 258 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 259 audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/controller.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/controller.kubeconfig; fi'" 260 tests: 261 test_items: 262 - flag: "permissions" 263 compare: 264 op: bitmask 265 value: "600" 266 remediation: | 267 Run the below command (based on the file location on your system) on the control plane node. 268 For example, 269 chmod 600 $controllermanagerkubeconfig 270 scored: true 271 272 - id: 1.1.18 273 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 274 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/cred/controller.kubeconfig" 275 tests: 276 test_items: 277 - flag: "root:root" 278 compare: 279 op: eq 280 value: "root:root" 281 set: true 282 remediation: | 283 Run the below command (based on the file location on your system) on the control plane node. 284 For example, 285 chown root:root $controllermanagerkubeconfig 286 scored: true 287 288 - id: 1.1.19 289 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 290 audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls" 291 use_multiple_values: true 292 tests: 293 test_items: 294 - flag: "root:root" 295 remediation: | 296 Run the below command (based on the file location on your system) on the control plane node. 297 For example, 298 chown -R root:root /var/lib/rancher/k3s/server/tls 299 scored: true 300 301 - id: 1.1.20 302 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" 303 audit: "stat -c %n\ %a /var/lib/rancher/k3s/server/tls/*.crt" 304 use_multiple_values: true 305 tests: 306 test_items: 307 - flag: "permissions" 308 compare: 309 op: bitmask 310 value: "600" 311 remediation: | 312 Run the below command (based on the file location on your system) on the control plane node. 313 For example, 314 chmod -R 600 /etc/kubernetes/pki/*.crt 315 scored: false 316 317 - id: 1.1.21 318 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 319 audit: "stat -c %n\ %a /var/lib/rancher/k3s/server/tls/*.key" 320 use_multiple_values: true 321 tests: 322 test_items: 323 - flag: "permissions" 324 compare: 325 op: bitmask 326 value: "600" 327 remediation: | 328 Run the below command (based on the file location on your system) on the control plane node. 329 For example, 330 chmod -R 600 /etc/kubernetes/pki/*.key 331 scored: false 332 333 - id: 1.2 334 text: "API Server" 335 checks: 336 - id: 1.2.1 337 text: "Ensure that the --anonymous-auth argument is set to false (Manual)" 338 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'anonymous-auth'" 339 tests: 340 test_items: 341 - flag: "--anonymous-auth" 342 compare: 343 op: eq 344 value: false 345 remediation: | 346 Edit the API server pod specification file $apiserverconf 347 on the control plane node and set the below parameter. 348 --anonymous-auth=false 349 scored: false 350 351 - id: 1.2.2 352 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 353 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 354 tests: 355 test_items: 356 - flag: "--token-auth-file" 357 set: false 358 remediation: | 359 Follow the documentation and configure alternate mechanisms for authentication. Then, 360 edit the API server pod specification file $apiserverconf 361 on the control plane node and remove the --token-auth-file=<filename> parameter. 362 scored: true 363 364 - id: 1.2.3 365 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 366 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 367 tests: 368 bin_op: or 369 test_items: 370 - flag: "--enable-admission-plugins" 371 compare: 372 op: nothave 373 value: "DenyServiceExternalIPs" 374 set: true 375 - flag: "--enable-admission-plugins" 376 set: false 377 remediation: | 378 Edit the API server pod specification file $apiserverconf 379 on the control plane node and remove the `DenyServiceExternalIPs` 380 from enabled admission plugins. 381 scored: true 382 383 - id: 1.2.4 384 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 385 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'kubelet-certificate-authority'" 386 tests: 387 bin_op: and 388 test_items: 389 - flag: "--kubelet-client-certificate" 390 - flag: "--kubelet-client-key" 391 remediation: | 392 Follow the Kubernetes documentation and set up the TLS connection between the 393 apiserver and kubelets. Then, edit API server pod specification file 394 $apiserverconf on the control plane node and set the 395 kubelet client certificate and key parameters as below. 396 --kubelet-client-certificate=<path/to/client-certificate-file> 397 --kubelet-client-key=<path/to/client-key-file> 398 scored: true 399 400 - id: 1.2.5 401 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 402 type: "skip" 403 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 404 tests: 405 test_items: 406 - flag: "--kubelet-certificate-authority" 407 remediation: | 408 Follow the Kubernetes documentation and setup the TLS connection between 409 the apiserver and kubelets. Then, edit the API server pod specification file 410 $apiserverconf on the control plane node and set the 411 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 412 --kubelet-certificate-authority=<ca-string> 413 Permissive - When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 414 scored: true 415 416 - id: 1.2.6 417 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 418 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 419 tests: 420 test_items: 421 - flag: "--authorization-mode" 422 compare: 423 op: nothave 424 value: "AlwaysAllow" 425 remediation: | 426 Edit the API server pod specification file $apiserverconf 427 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 428 One such example could be as below. 429 --authorization-mode=RBAC 430 scored: true 431 432 - id: 1.2.7 433 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 434 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 435 tests: 436 test_items: 437 - flag: "--authorization-mode" 438 compare: 439 op: has 440 value: "Node" 441 remediation: | 442 Edit the API server pod specification file $apiserverconf 443 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 444 --authorization-mode=Node,RBAC 445 scored: true 446 447 - id: 1.2.8 448 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 449 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'authorization-mode'" 450 tests: 451 test_items: 452 - flag: "--authorization-mode" 453 compare: 454 op: has 455 value: "RBAC" 456 remediation: | 457 Edit the API server pod specification file $apiserverconf 458 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 459 for example `--authorization-mode=Node,RBAC`. 460 scored: true 461 462 - id: 1.2.9 463 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 464 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 465 tests: 466 test_items: 467 - flag: "--enable-admission-plugins" 468 compare: 469 op: has 470 value: "EventRateLimit" 471 remediation: | 472 Follow the Kubernetes documentation and set the desired limits in a configuration file. 473 Then, edit the API server pod specification file $apiserverconf 474 and set the below parameters. 475 --enable-admission-plugins=...,EventRateLimit,... 476 --admission-control-config-file=<path/to/configuration/file> 477 scored: false 478 479 - id: 1.2.10 480 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 481 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 482 tests: 483 bin_op: or 484 test_items: 485 - flag: "--enable-admission-plugins" 486 compare: 487 op: nothave 488 value: AlwaysAdmit 489 - flag: "--enable-admission-plugins" 490 set: false 491 remediation: | 492 Edit the API server pod specification file $apiserverconf 493 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 494 value that does not include AlwaysAdmit. 495 scored: true 496 497 - id: 1.2.11 498 text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)" 499 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 500 tests: 501 test_items: 502 - flag: "--enable-admission-plugins" 503 compare: 504 op: has 505 value: "AlwaysPullImages" 506 remediation: | 507 Edit the API server pod specification file $apiserverconf 508 on the control plane node and set the --enable-admission-plugins parameter to include 509 AlwaysPullImages. 510 --enable-admission-plugins=...,AlwaysPullImages,... 511 scored: false 512 513 - id: 1.2.12 514 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" 515 type: "skip" 516 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 517 tests: 518 bin_op: or 519 test_items: 520 - flag: "--enable-admission-plugins" 521 compare: 522 op: has 523 value: "SecurityContextDeny" 524 - flag: "--enable-admission-plugins" 525 compare: 526 op: has 527 value: "PodSecurityPolicy" 528 remediation: | 529 Edit the API server pod specification file $apiserverconf 530 on the control plane node and set the --enable-admission-plugins parameter to include 531 SecurityContextDeny, unless PodSecurityPolicy is already in place. 532 --enable-admission-plugins=...,SecurityContextDeny,... 533 Permissive - Enabling Pod Security Policy can cause applications to unexpectedly fail. 534 scored: false 535 536 - id: 1.2.13 537 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 538 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 539 tests: 540 bin_op: or 541 test_items: 542 - flag: "--disable-admission-plugins" 543 compare: 544 op: nothave 545 value: "ServiceAccount" 546 - flag: "--disable-admission-plugins" 547 set: false 548 remediation: | 549 Follow the documentation and create ServiceAccount objects as per your environment. 550 Then, edit the API server pod specification file $apiserverconf 551 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 552 value that does not include ServiceAccount. 553 scored: true 554 555 - id: 1.2.14 556 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 557 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 558 tests: 559 bin_op: or 560 test_items: 561 - flag: "--disable-admission-plugins" 562 compare: 563 op: nothave 564 value: "NamespaceLifecycle" 565 - flag: "--disable-admission-plugins" 566 set: false 567 remediation: | 568 Edit the API server pod specification file $apiserverconf 569 on the control plane node and set the --disable-admission-plugins parameter to 570 ensure it does not include NamespaceLifecycle. 571 scored: true 572 573 - id: 1.2.15 574 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 575 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'" 576 tests: 577 test_items: 578 - flag: "--enable-admission-plugins" 579 compare: 580 op: has 581 value: "NodeRestriction" 582 remediation: | 583 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 584 Then, edit the API server pod specification file $apiserverconf 585 on the control plane node and set the --enable-admission-plugins parameter to a 586 value that includes NodeRestriction. 587 --enable-admission-plugins=...,NodeRestriction,... 588 scored: true 589 590 - id: 1.2.16 591 text: "Ensure that the --secure-port argument is not set to 0 - NoteThis recommendation is obsolete and will be deleted per the consensus process (Automated)" 592 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'secure-port'" 593 tests: 594 bin_op: or 595 test_items: 596 - flag: "--secure-port" 597 compare: 598 op: gt 599 value: 0 600 - flag: "--secure-port" 601 set: false 602 remediation: | 603 Edit the API server pod specification file $apiserverconf 604 on the control plane node and either remove the --secure-port parameter or 605 set it to a different (non-zero) desired port. 606 scored: true 607 608 - id: 1.2.17 609 text: "Ensure that the --profiling argument is set to false (Automated)" 610 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'" 611 tests: 612 test_items: 613 - flag: "--profiling" 614 compare: 615 op: eq 616 value: false 617 remediation: | 618 Edit the API server pod specification file $apiserverconf 619 on the control plane node and set the below parameter. 620 --profiling=false 621 scored: true 622 623 - id: 1.2.18 624 text: "Ensure that the --audit-log-path argument is set (Automated)" 625 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 626 type: "skip" 627 tests: 628 test_items: 629 - flag: "--audit-log-path" 630 remediation: | 631 Edit the API server pod specification file $apiserverconf 632 on the control plane node and set the --audit-log-path parameter to a suitable path and 633 file where you would like audit logs to be written, for example, 634 --audit-log-path=/var/log/apiserver/audit.log 635 Permissive. 636 scored: true 637 638 - id: 1.2.19 639 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 640 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 641 type: "skip" 642 tests: 643 test_items: 644 - flag: "--audit-log-maxage" 645 compare: 646 op: gte 647 value: 30 648 remediation: | 649 Edit the API server pod specification file $apiserverconf 650 on the control plane node and set the --audit-log-maxage parameter to 30 651 or as an appropriate number of days, for example, 652 --audit-log-maxage=30 653 Permissive. 654 scored: true 655 656 - id: 1.2.20 657 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 658 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 659 type: "skip" 660 tests: 661 test_items: 662 - flag: "--audit-log-maxbackup" 663 compare: 664 op: gte 665 value: 10 666 remediation: | 667 Edit the API server pod specification file $apiserverconf 668 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 669 value. For example, 670 --audit-log-maxbackup=10 671 Permissive. 672 scored: true 673 674 - id: 1.2.21 675 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 676 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 677 type: "skip" 678 tests: 679 test_items: 680 - flag: "--audit-log-maxsize" 681 compare: 682 op: gte 683 value: 100 684 remediation: | 685 Edit the API server pod specification file $apiserverconf 686 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 687 For example, to set it as 100 MB, --audit-log-maxsize=100 688 Permissive. 689 scored: true 690 691 - id: 1.2.22 692 text: "Ensure that the --request-timeout argument is set as appropriate (Manual)" 693 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 694 type: "skip" 695 tests: 696 test_items: 697 - flag: "--request-timeout" 698 remediation: | 699 Edit the API server pod specification file $apiserverconf 700 and set the below parameter as appropriate and if needed. 701 For example, --request-timeout=300s 702 Permissive. 703 scored: false 704 705 - id: 1.2.23 706 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 707 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 708 tests: 709 bin_op: or 710 test_items: 711 - flag: "--service-account-lookup" 712 set: false 713 - flag: "--service-account-lookup" 714 compare: 715 op: eq 716 value: true 717 remediation: | 718 Edit the API server pod specification file $apiserverconf 719 on the control plane node and set the below parameter. 720 --service-account-lookup=true 721 Alternatively, you can delete the --service-account-lookup parameter from this file so 722 that the default takes effect. 723 scored: true 724 725 - id: 1.2.24 726 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 727 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -v grep" 728 type: "skip" 729 tests: 730 test_items: 731 - flag: "--service-account-key-file" 732 remediation: | 733 Edit the API server pod specification file $apiserverconf 734 on the control plane node and set the --service-account-key-file parameter 735 to the public key file for service accounts. For example, 736 --service-account-key-file=<filename> 737 scored: true 738 739 - id: 1.2.25 740 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 741 audit: "check_for_k3s_etcd.sh 1.2.29" 742 tests: 743 bin_op: and 744 test_items: 745 - flag: "--etcd-certfile" 746 set: true 747 - flag: "--etcd-keyfile" 748 set: true 749 remediation: | 750 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 751 Then, edit the API server pod specification file $apiserverconf 752 on the control plane node and set the etcd certificate and key file parameters. 753 --etcd-certfile=<path/to/client-certificate-file> 754 --etcd-keyfile=<path/to/client-key-file> 755 scored: true 756 757 - id: 1.2.26 758 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 759 audit: "journalctl -D /var/log/journal -u k3s | grep -A1 'Running kube-apiserver' | tail -n2" 760 tests: 761 bin_op: and 762 test_items: 763 - flag: "--tls-cert-file" 764 set: true 765 - flag: "--tls-private-key-file" 766 set: true 767 remediation: | 768 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 769 Then, edit the API server pod specification file $apiserverconf 770 on the control plane node and set the TLS certificate and private key file parameters. 771 --tls-cert-file=<path/to/tls-certificate-file> 772 --tls-private-key-file=<path/to/tls-key-file> 773 scored: true 774 775 - id: 1.2.27 776 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 777 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'" 778 tests: 779 test_items: 780 - flag: "--client-ca-file" 781 remediation: | 782 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 783 Then, edit the API server pod specification file $apiserverconf 784 on the control plane node and set the client certificate authority file. 785 --client-ca-file=<path/to/client-ca-file> 786 scored: true 787 788 - id: 1.2.28 789 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 790 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'" 791 tests: 792 test_items: 793 - flag: "--etcd-cafile" 794 remediation: | 795 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 796 Then, edit the API server pod specification file $apiserverconf 797 on the control plane node and set the etcd certificate authority file parameter. 798 --etcd-cafile=<path/to/ca-file> 799 scored: true 800 801 - id: 1.2.29 802 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 803 type: "skip" 804 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'" 805 tests: 806 test_items: 807 - flag: "--encryption-provider-config" 808 remediation: | 809 Follow the Kubernetes documentation and configure a EncryptionConfig file. 810 Then, edit the API server pod specification file $apiserverconf 811 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 812 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 813 Permissive - Enabling encryption changes how data can be recovered as data is encrypted. 814 scored: false 815 816 - id: 1.2.30 817 text: "Ensure that encryption providers are appropriately configured (Manual)" 818 type: "skip" 819 audit: | 820 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 821 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 822 tests: 823 test_items: 824 - flag: "provider" 825 compare: 826 op: valid_elements 827 value: "aescbc,kms,secretbox" 828 remediation: | 829 Follow the Kubernetes documentation and configure a EncryptionConfig file. 830 In this file, choose aescbc, kms or secretbox as the encryption provider. 831 Permissive - Enabling encryption changes how data can be recovered as data is encrypted. 832 scored: false 833 834 - id: 1.2.32 835 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" 836 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'" 837 tests: 838 test_items: 839 - flag: "--tls-cipher-suites" 840 compare: 841 op: valid_elements 842 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 843 remediation: | 844 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 845 on the control plane node and set the below parameter. 846 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 847 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 848 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 849 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 850 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 851 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 852 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 853 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 854 scored: false 855 856 - id: 1.3 857 text: "Controller Manager" 858 checks: 859 - id: 1.3.1 860 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 861 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'terminated-pod-gc-threshold'" 862 tests: 863 test_items: 864 - flag: "--terminated-pod-gc-threshold" 865 remediation: | 866 Edit the Controller Manager pod specification file $controllermanagerconf 867 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 868 for example, --terminated-pod-gc-threshold=10 869 scored: false 870 871 - id: 1.3.2 872 text: "Ensure that the --profiling argument is set to false (Automated)" 873 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'profiling'" 874 tests: 875 test_items: 876 - flag: "--profiling" 877 compare: 878 op: eq 879 value: false 880 remediation: | 881 Edit the Controller Manager pod specification file $controllermanagerconf 882 on the control plane node and set the below parameter. 883 --profiling=false 884 scored: true 885 886 - id: 1.3.3 887 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 888 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'use-service-account-credentials'" 889 tests: 890 test_items: 891 - flag: "--use-service-account-credentials" 892 compare: 893 op: noteq 894 value: false 895 remediation: | 896 Edit the Controller Manager pod specification file $controllermanagerconf 897 on the control plane node to set the below parameter. 898 --use-service-account-credentials=true 899 scored: true 900 901 - id: 1.3.4 902 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 903 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'service-account-private-key-file'" 904 tests: 905 test_items: 906 - flag: "--service-account-private-key-file" 907 remediation: | 908 Edit the Controller Manager pod specification file $controllermanagerconf 909 on the control plane node and set the --service-account-private-key-file parameter 910 to the private key file for service accounts. 911 --service-account-private-key-file=<filename> 912 scored: true 913 914 - id: 1.3.5 915 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 916 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'root-ca-file'" 917 tests: 918 test_items: 919 - flag: "--root-ca-file" 920 remediation: | 921 Edit the Controller Manager pod specification file $controllermanagerconf 922 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 923 --root-ca-file=<path/to/file> 924 scored: true 925 926 - id: 1.3.6 927 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 928 type: "skip" 929 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-controller-manager' | tail -n1 | grep 'RotateKubeletServerCertificate'" 930 tests: 931 bin_op: or 932 test_items: 933 - flag: "--feature-gates" 934 compare: 935 op: nothave 936 value: "RotateKubeletServerCertificate=false" 937 set: true 938 - flag: "--feature-gates" 939 set: false 940 remediation: | 941 Edit the Controller Manager pod specification file $controllermanagerconf 942 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 943 --feature-gates=RotateKubeletServerCertificate=true 944 Not Applicable. 945 scored: true 946 947 - id: 1.3.7 948 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 949 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 950 tests: 951 bin_op: or 952 test_items: 953 - flag: "--bind-address" 954 compare: 955 op: eq 956 value: "127.0.0.1" 957 set: true 958 - flag: "--bind-address" 959 set: false 960 remediation: | 961 Edit the Controller Manager pod specification file $controllermanagerconf 962 on the control plane node and ensure the correct value for the --bind-address parameter 963 scored: true 964 965 - id: 1.4 966 text: "Scheduler" 967 checks: 968 - id: 1.4.1 969 text: "Ensure that the --profiling argument is set to false (Automated)" 970 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1" 971 tests: 972 test_items: 973 - flag: "--profiling" 974 compare: 975 op: eq 976 value: false 977 set: true 978 remediation: | 979 Edit the Scheduler pod specification file $schedulerconf file 980 on the control plane node and set the below parameter. 981 --profiling=false 982 scored: true 983 984 - id: 1.4.2 985 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 986 audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-scheduler' | tail -n1 | grep 'bind-address'" 987 tests: 988 bin_op: or 989 test_items: 990 - flag: "--bind-address" 991 compare: 992 op: eq 993 value: "127.0.0.1" 994 set: true 995 - flag: "--bind-address" 996 set: false 997 remediation: | 998 Edit the Scheduler pod specification file $schedulerconf 999 on the control plane node and ensure the correct value for the --bind-address parameter 1000 scored: true