github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke-cis-1.24/master.yaml (about) 1 --- 2 controls: 3 version: "rke-cis-1.24" 4 id: 1 5 text: "Control Plane Security Configuration" 6 type: "master" 7 groups: 8 - id: 1.1 9 text: "Control Plane Node Configuration Files" 10 checks: 11 - id: 1.1.1 12 text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)" 13 type: "skip" 14 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. 23 All configuration is passed in as arguments at container run time. 24 scored: true 25 26 - id: 1.1.2 27 text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)" 28 type: "skip" 29 audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" 30 tests: 31 test_items: 32 - flag: "root:root" 33 remediation: | 34 Run the below command (based on the file location on your system) on the control plane node. 35 For example, chown root:root $apiserverconf 36 scored: true 37 38 - id: 1.1.3 39 text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)" 40 type: "skip" 41 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" 42 tests: 43 test_items: 44 - flag: "permissions" 45 compare: 46 op: bitmask 47 value: "600" 48 remediation: | 49 Run the below command (based on the file location on your system) on the control plane node. 50 For example, chmod 600 $controllermanagerconf 51 scored: true 52 53 - id: 1.1.4 54 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" 55 type: "skip" 56 audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" 57 tests: 58 test_items: 59 - flag: "root:root" 60 remediation: | 61 Run the below command (based on the file location on your system) on the control plane node. 62 For example, chown root:root $controllermanagerconf 63 scored: true 64 65 - id: 1.1.5 66 text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)" 67 type: "skip" 68 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" 69 tests: 70 test_items: 71 - flag: "permissions" 72 compare: 73 op: bitmask 74 value: "600" 75 remediation: | 76 Run the below command (based on the file location on your system) on the control plane node. 77 For example, chmod 600 $schedulerconf 78 scored: true 79 80 - id: 1.1.6 81 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" 82 type: "skip" 83 audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" 84 tests: 85 test_items: 86 - flag: "root:root" 87 remediation: | 88 Run the below command (based on the file location on your system) on the control plane node. 89 For example, chown root:root $schedulerconf 90 scored: true 91 92 - id: 1.1.7 93 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" 94 type: "skip" 95 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" 96 use_multiple_values: true 97 tests: 98 test_items: 99 - flag: "permissions" 100 compare: 101 op: bitmask 102 value: "600" 103 remediation: | 104 Run the below command (based on the file location on your system) on the control plane node. 105 For example, 106 chmod 600 $etcdconf 107 scored: true 108 109 - id: 1.1.8 110 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" 111 type: "skip" 112 audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi'" 113 use_multiple_values: true 114 tests: 115 test_items: 116 - flag: "root:root" 117 remediation: | 118 Run the below command (based on the file location on your system) on the control plane node. 119 For example, 120 chown root:root $etcdconf 121 scored: true 122 123 - id: 1.1.9 124 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" 125 audit: | 126 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a 127 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a 128 use_multiple_values: true 129 tests: 130 test_items: 131 - flag: "permissions" 132 compare: 133 op: bitmask 134 value: "600" 135 remediation: | 136 Run the below command (based on the file location on your system) on the control plane node. 137 For example, chmod 600 <path/to/cni/files> 138 scored: false 139 140 - id: 1.1.10 141 text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" 142 audit: | 143 ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G 144 find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G 145 use_multiple_values: true 146 tests: 147 test_items: 148 - flag: "root:root" 149 remediation: | 150 Run the below command (based on the file location on your system) on the control plane node. 151 For example, 152 chown root:root <path/to/cni/files> 153 scored: false 154 155 - id: 1.1.11 156 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" 157 audit: stat -c %a /node/var/lib/etcd 158 tests: 159 test_items: 160 - flag: "700" 161 compare: 162 op: eq 163 value: "700" 164 set: true 165 remediation: | 166 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 167 from the command 'ps -ef | grep etcd'. 168 Run the below command (based on the etcd data directory found above). For example, 169 chmod 700 /var/lib/etcd 170 scored: true 171 172 - id: 1.1.12 173 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" 174 type: "skip" 175 audit: "stat -c %U:%G /node/var/lib/etcd" 176 tests: 177 test_items: 178 - flag: "etcd:etcd" 179 set: true 180 remediation: | 181 On the etcd server node, get the etcd data directory, passed as an argument --data-dir, 182 from the command 'ps -ef | grep etcd'. 183 Run the below command (based on the etcd data directory found above). 184 For example, chown etcd:etcd /var/lib/etcd 185 scored: true 186 187 - id: 1.1.13 188 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" 189 type: "skip" 190 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" 191 tests: 192 test_items: 193 - flag: "permissions" 194 compare: 195 op: bitmask 196 value: "600" 197 remediation: | 198 Run the below command (based on the file location on your system) on the control plane node. 199 For example, chmod 600 /etc/kubernetes/admin.conf 200 scored: true 201 202 - id: 1.1.14 203 text: "Ensure that the admin.conf file ownership is set to root:root (Automated)" 204 type: "skip" 205 audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" 206 tests: 207 test_items: 208 - flag: "root:root" 209 remediation: | 210 Run the below command (based on the file location on your system) on the control plane node. 211 For example, chown root:root /etc/kubernetes/admin.conf 212 scored: true 213 214 - id: 1.1.15 215 text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)" 216 type: "skip" 217 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'" 218 tests: 219 test_items: 220 - flag: "permissions" 221 compare: 222 op: bitmask 223 value: "600" 224 remediation: | 225 Run the below command (based on the file location on your system) on the control plane node. 226 For example, 227 chmod 600 $schedulerkubeconfig 228 scored: true 229 230 - id: 1.1.16 231 text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)" 232 type: "skip" 233 audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'" 234 tests: 235 test_items: 236 - flag: "root:root" 237 remediation: | 238 Run the below command (based on the file location on your system) on the control plane node. 239 For example, 240 chown root:root $schedulerkubeconfig 241 scored: true 242 243 - id: 1.1.17 244 text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)" 245 type: "skip" 246 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'" 247 tests: 248 test_items: 249 - flag: "permissions" 250 compare: 251 op: bitmask 252 value: "600" 253 remediation: | 254 Run the below command (based on the file location on your system) on the control plane node. 255 For example, 256 chmod 600 $controllermanagerkubeconfig 257 scored: true 258 259 - id: 1.1.18 260 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" 261 type: "skip" 262 audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'" 263 tests: 264 test_items: 265 - flag: "root:root" 266 remediation: | 267 Run the below command (based on the file location on your system) on the control plane node. 268 For example, 269 chown root:root $controllermanagerkubeconfig 270 scored: true 271 272 - id: 1.1.19 273 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" 274 audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" 275 tests: 276 test_items: 277 - flag: "true" 278 compare: 279 op: eq 280 value: "true" 281 set: true 282 remediation: | 283 Run the below command (based on the file location on your system) on the control plane node. 284 For example, 285 chown -R root:root /etc/kubernetes/pki/ 286 scored: true 287 288 - id: 1.1.20 289 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" 290 audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a" 291 use_multiple_values: true 292 tests: 293 test_items: 294 - flag: "permissions" 295 compare: 296 op: bitmask 297 value: "600" 298 remediation: | 299 Run the below command (based on the file location on your system) on the control plane node. 300 For example, 301 find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + 302 scored: false 303 304 - id: 1.1.21 305 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" 306 audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a" 307 use_multiple_values: true 308 tests: 309 test_items: 310 - flag: "permissions" 311 compare: 312 op: bitmask 313 value: "600" 314 remediation: | 315 Run the below command (based on the file location on your system) on the control plane node. 316 For example, 317 find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + 318 scored: false 319 320 - id: 1.2 321 text: "API Server" 322 checks: 323 - id: 1.2.1 324 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 325 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 326 tests: 327 test_items: 328 - flag: "--anonymous-auth" 329 compare: 330 op: eq 331 value: false 332 set: true 333 remediation: | 334 Edit the API server pod specification file $apiserverconf 335 on the control plane node and set the below parameter. 336 --anonymous-auth=false 337 scored: true 338 339 - id: 1.2.2 340 text: "Ensure that the --token-auth-file parameter is not set (Automated)" 341 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 342 tests: 343 test_items: 344 - flag: "--token-auth-file" 345 set: false 346 remediation: | 347 Follow the documentation and configure alternate mechanisms for authentication. Then, 348 edit the API server pod specification file $apiserverconf 349 on the control plane node and remove the --token-auth-file=<filename> parameter. 350 scored: true 351 352 - id: 1.2.3 353 text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)" 354 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 355 tests: 356 bin_op: or 357 test_items: 358 - flag: "--enable-admission-plugins" 359 compare: 360 op: nothave 361 value: "DenyServiceExternalIPs" 362 set: true 363 - flag: "--enable-admission-plugins" 364 set: false 365 remediation: | 366 Edit the API server pod specification file $apiserverconf 367 on the control plane node and remove the `DenyServiceExternalIPs` 368 from enabled admission plugins. 369 scored: true 370 371 - id: 1.2.4 372 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 373 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 374 tests: 375 bin_op: and 376 test_items: 377 - flag: "--kubelet-client-certificate" 378 - flag: "--kubelet-client-key" 379 remediation: | 380 Follow the Kubernetes documentation and set up the TLS connection between the 381 apiserver and kubelets. Then, edit API server pod specification file 382 $apiserverconf on the control plane node and set the 383 kubelet client certificate and key parameters as below. 384 --kubelet-client-certificate=<path/to/client-certificate-file> 385 --kubelet-client-key=<path/to/client-key-file> 386 scored: true 387 388 - id: 1.2.5 389 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" 390 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 391 tests: 392 bin_op: and 393 test_items: 394 - flag: "--kubelet-client-certificate" 395 set: true 396 - flag: "--kubelet-client-key" 397 set: true 398 remediation: | 399 Follow the Kubernetes documentation and set up the TLS connection between the 400 apiserver and kubelets. Then, edit API server pod specification file 401 $apiserverconf on the control plane node and set the 402 kubelet client certificate and key parameters as below. 403 --kubelet-client-certificate=<path/to/client-certificate-file> 404 --kubelet-client-key=<path/to/client-key-file> 405 scored: true 406 407 - id: 1.2.6 408 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" 409 type: "skip" 410 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 411 tests: 412 test_items: 413 - flag: "--kubelet-certificate-authority" 414 set: true 415 remediation: | 416 Follow the Kubernetes documentation and setup the TLS connection between 417 the apiserver and kubelets. Then, edit the API server pod specification file 418 $apiserverconf on the control plane node and set the 419 --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. 420 --kubelet-certificate-authority=<ca-string> 421 When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers. 422 scored: true 423 424 - id: 1.2.7 425 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 426 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 427 tests: 428 test_items: 429 - flag: "--authorization-mode" 430 compare: 431 op: nothave 432 value: "AlwaysAllow" 433 set: true 434 remediation: | 435 Edit the API server pod specification file $apiserverconf 436 on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow. 437 One such example could be as below. 438 --authorization-mode=RBAC 439 scored: true 440 441 - id: 1.2.8 442 text: "Ensure that the --authorization-mode argument includes Node (Automated)" 443 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 444 tests: 445 test_items: 446 - flag: "--authorization-mode" 447 compare: 448 op: has 449 value: "Node" 450 set: true 451 remediation: | 452 Edit the API server pod specification file $apiserverconf 453 on the control plane node and set the --authorization-mode parameter to a value that includes Node. 454 --authorization-mode=Node,RBAC 455 scored: true 456 457 - id: 1.2.9 458 text: "Ensure that the --authorization-mode argument includes RBAC (Automated)" 459 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 460 tests: 461 test_items: 462 - flag: "--authorization-mode" 463 compare: 464 op: has 465 value: "RBAC" 466 set: true 467 remediation: | 468 Edit the API server pod specification file $apiserverconf 469 on the control plane node and set the --authorization-mode parameter to a value that includes RBAC, 470 for example `--authorization-mode=Node,RBAC`. 471 scored: true 472 473 - id: 1.2.10 474 text: "Ensure that the admission control plugin EventRateLimit is set (Manual)" 475 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 476 tests: 477 test_items: 478 - flag: "--enable-admission-plugins" 479 compare: 480 op: has 481 value: "EventRateLimit" 482 set: true 483 remediation: | 484 Follow the Kubernetes documentation and set the desired limits in a configuration file. 485 Then, edit the API server pod specification file $apiserverconf 486 and set the below parameters. 487 --enable-admission-plugins=...,EventRateLimit,... 488 --admission-control-config-file=<path/to/configuration/file> 489 scored: false 490 491 - id: 1.2.11 492 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" 493 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 494 tests: 495 bin_op: or 496 test_items: 497 - flag: "--enable-admission-plugins" 498 compare: 499 op: nothave 500 value: AlwaysAdmit 501 set: true 502 - flag: "--enable-admission-plugins" 503 set: false 504 remediation: | 505 Edit the API server pod specification file $apiserverconf 506 on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a 507 value that does not include AlwaysAdmit. 508 scored: true 509 510 - id: 1.2.12 511 text: "Ensure that the admission control plugin AlwaysPullImages is set (Automated)" 512 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 513 tests: 514 test_items: 515 - flag: "--enable-admission-plugins" 516 compare: 517 op: has 518 value: "AlwaysPullImages" 519 remediation: | 520 Edit the API server pod specification file $apiserverconf 521 on the control plane node and set the --enable-admission-plugins parameter to include 522 AlwaysPullImages. 523 --enable-admission-plugins=...,AlwaysPullImages,... 524 scored: false 525 526 - id: 1.2.13 527 text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Automated)" 528 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 529 tests: 530 bin_op: or 531 test_items: 532 - flag: "--enable-admission-plugins" 533 compare: 534 op: has 535 value: "SecurityContextDeny" 536 - flag: "--enable-admission-plugins" 537 compare: 538 op: has 539 value: "PodSecurityPolicy" 540 remediation: | 541 Edit the API server pod specification file $apiserverconf 542 on the control plane node and set the --enable-admission-plugins parameter to include 543 SecurityContextDeny, unless PodSecurityPolicy is already in place. 544 --enable-admission-plugins=...,SecurityContextDeny,... 545 scored: false 546 547 - id: 1.2.14 548 text: "Ensure that the admission control plugin ServiceAccount is set (Automated)" 549 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 550 tests: 551 bin_op: or 552 test_items: 553 - flag: "--disable-admission-plugins" 554 compare: 555 op: nothave 556 value: "ServiceAccount" 557 set: true 558 - flag: "--disable-admission-plugins" 559 set: false 560 remediation: | 561 Follow the documentation and create ServiceAccount objects as per your environment. 562 Then, edit the API server pod specification file $apiserverconf 563 on the control plane node and ensure that the --disable-admission-plugins parameter is set to a 564 value that does not include ServiceAccount. 565 scored: true 566 567 - id: 1.2.15 568 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" 569 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 570 tests: 571 bin_op: or 572 test_items: 573 - flag: "--disable-admission-plugins" 574 compare: 575 op: nothave 576 value: "NamespaceLifecycle" 577 set: true 578 - flag: "--disable-admission-plugins" 579 set: false 580 remediation: | 581 Edit the API server pod specification file $apiserverconf 582 on the control plane node and set the --disable-admission-plugins parameter to 583 ensure it does not include NamespaceLifecycle. 584 scored: true 585 586 - id: 1.2.16 587 text: "Ensure that the admission control plugin NodeRestriction is set (Automated)" 588 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 589 tests: 590 test_items: 591 - flag: "--enable-admission-plugins" 592 compare: 593 op: has 594 value: "NodeRestriction" 595 set: true 596 remediation: | 597 Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. 598 Then, edit the API server pod specification file $apiserverconf 599 on the control plane node and set the --enable-admission-plugins parameter to a 600 value that includes NodeRestriction. 601 --enable-admission-plugins=...,NodeRestriction,... 602 scored: true 603 604 - id: 1.2.17 605 text: "Ensure that the --secure-port argument is not set to 0 (Automated)" 606 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 607 tests: 608 bin_op: or 609 test_items: 610 - flag: "--secure-port" 611 compare: 612 op: gt 613 value: 0 614 set: true 615 - flag: "--secure-port" 616 set: false 617 remediation: | 618 Edit the API server pod specification file $apiserverconf 619 on the control plane node and either remove the --secure-port parameter or 620 set it to a different (non-zero) desired port. 621 scored: true 622 623 - id: 1.2.18 624 text: "Ensure that the --profiling argument is set to false (Automated)" 625 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 626 tests: 627 test_items: 628 - flag: "--profiling" 629 compare: 630 op: eq 631 value: false 632 set: true 633 remediation: | 634 Edit the API server pod specification file $apiserverconf 635 on the control plane node and set the below parameter. 636 --profiling=false 637 scored: true 638 639 - id: 1.2.19 640 text: "Ensure that the --audit-log-path argument is set (Automated)" 641 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 642 tests: 643 test_items: 644 - flag: "--audit-log-path" 645 set: true 646 remediation: | 647 Edit the API server pod specification file $apiserverconf 648 on the control plane node and set the --audit-log-path parameter to a suitable path and 649 file where you would like audit logs to be written, for example, 650 --audit-log-path=/var/log/apiserver/audit.log 651 scored: true 652 653 - id: 1.2.20 654 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" 655 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 656 tests: 657 test_items: 658 - flag: "--audit-log-maxage" 659 compare: 660 op: gte 661 value: 30 662 set: true 663 remediation: | 664 Edit the API server pod specification file $apiserverconf 665 on the control plane node and set the --audit-log-maxage parameter to 30 666 or as an appropriate number of days, for example, 667 --audit-log-maxage=30 668 scored: true 669 670 - id: 1.2.21 671 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" 672 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 673 tests: 674 test_items: 675 - flag: "--audit-log-maxbackup" 676 compare: 677 op: gte 678 value: 10 679 set: true 680 remediation: | 681 Edit the API server pod specification file $apiserverconf 682 on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate 683 value. For example, 684 --audit-log-maxbackup=10 685 scored: true 686 687 - id: 1.2.22 688 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" 689 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 690 tests: 691 test_items: 692 - flag: "--audit-log-maxsize" 693 compare: 694 op: gte 695 value: 100 696 set: true 697 remediation: | 698 Edit the API server pod specification file $apiserverconf 699 on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB. 700 For example, to set it as 100 MB, --audit-log-maxsize=100 701 scored: true 702 703 - id: 1.2.23 704 text: "Ensure that the --request-timeout argument is set as appropriate (Manual)" 705 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 706 type: manual 707 remediation: | 708 Edit the API server pod specification file $apiserverconf 709 and set the below parameter as appropriate and if needed. 710 For example, --request-timeout=300s 711 scored: false 712 713 - id: 1.2.24 714 text: "Ensure that the --service-account-lookup argument is set to true (Automated)" 715 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 716 tests: 717 bin_op: or 718 test_items: 719 - flag: "--service-account-lookup" 720 set: false 721 - flag: "--service-account-lookup" 722 compare: 723 op: eq 724 value: true 725 set: true 726 remediation: | 727 Edit the API server pod specification file $apiserverconf 728 on the control plane node and set the below parameter. 729 --service-account-lookup=true 730 Alternatively, you can delete the --service-account-lookup parameter from this file so 731 that the default takes effect. 732 scored: true 733 734 - id: 1.2.25 735 text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)" 736 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 737 tests: 738 test_items: 739 - flag: "--service-account-key-file" 740 set: true 741 remediation: | 742 Edit the API server pod specification file $apiserverconf 743 on the control plane node and set the --service-account-key-file parameter 744 to the public key file for service accounts. For example, 745 --service-account-key-file=<filename> 746 scored: true 747 748 - id: 1.2.26 749 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" 750 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 751 tests: 752 bin_op: and 753 test_items: 754 - flag: "--etcd-certfile" 755 set: true 756 - flag: "--etcd-keyfile" 757 set: true 758 remediation: | 759 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 760 Then, edit the API server pod specification file $apiserverconf 761 on the control plane node and set the etcd certificate and key file parameters. 762 --etcd-certfile=<path/to/client-certificate-file> 763 --etcd-keyfile=<path/to/client-key-file> 764 scored: true 765 766 - id: 1.2.27 767 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" 768 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 769 tests: 770 bin_op: and 771 test_items: 772 - flag: "--tls-cert-file" 773 set: true 774 - flag: "--tls-private-key-file" 775 set: true 776 remediation: | 777 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 778 Then, edit the API server pod specification file $apiserverconf 779 on the control plane node and set the TLS certificate and private key file parameters. 780 --tls-cert-file=<path/to/tls-certificate-file> 781 --tls-private-key-file=<path/to/tls-key-file> 782 scored: true 783 784 - id: 1.2.28 785 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 786 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 787 tests: 788 test_items: 789 - flag: "--client-ca-file" 790 set: true 791 remediation: | 792 Follow the Kubernetes documentation and set up the TLS connection on the apiserver. 793 Then, edit the API server pod specification file $apiserverconf 794 on the control plane node and set the client certificate authority file. 795 --client-ca-file=<path/to/client-ca-file> 796 scored: true 797 798 - id: 1.2.29 799 text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)" 800 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 801 tests: 802 test_items: 803 - flag: "--etcd-cafile" 804 set: true 805 remediation: | 806 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. 807 Then, edit the API server pod specification file $apiserverconf 808 on the control plane node and set the etcd certificate authority file parameter. 809 --etcd-cafile=<path/to/ca-file> 810 scored: true 811 812 - id: 1.2.30 813 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" 814 type: "skip" 815 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 816 tests: 817 test_items: 818 - flag: "--encryption-provider-config" 819 set: true 820 remediation: | 821 Follow the Kubernetes documentation and configure a EncryptionConfig file. 822 Then, edit the API server pod specification file $apiserverconf 823 on the control plane node and set the --encryption-provider-config parameter to the path of that file. 824 For example, --encryption-provider-config=</path/to/EncryptionConfig/File> 825 scored: false 826 827 - id: 1.2.31 828 text: "Ensure that encryption providers are appropriately configured (Manual)" 829 type: "skip" 830 audit: | 831 ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%') 832 if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi 833 tests: 834 test_items: 835 - flag: "provider" 836 compare: 837 op: valid_elements 838 value: "aescbc,kms,secretbox" 839 remediation: | 840 Follow the Kubernetes documentation and configure a EncryptionConfig file. 841 In this file, choose aescbc, kms or secretbox as the encryption provider. 842 Enabling encryption changes how data can be recovered as data is encrypted. 843 scored: false 844 845 - id: 1.2.32 846 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)" 847 audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 848 tests: 849 test_items: 850 - flag: "--tls-cipher-suites" 851 compare: 852 op: valid_elements 853 value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384" 854 remediation: | 855 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 856 on the control plane node and set the below parameter. 857 --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256, 858 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 859 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 860 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 861 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 862 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 863 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, 864 TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384 865 scored: false 866 867 - id: 1.3 868 text: "Controller Manager" 869 checks: 870 - id: 1.3.1 871 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" 872 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 873 tests: 874 test_items: 875 - flag: "--terminated-pod-gc-threshold" 876 set: true 877 remediation: | 878 Edit the Controller Manager pod specification file $controllermanagerconf 879 on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold, 880 for example, --terminated-pod-gc-threshold=10 881 scored: true 882 883 - id: 1.3.2 884 text: "Ensure that the --profiling argument is set to false (Automated)" 885 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 886 tests: 887 test_items: 888 - flag: "--profiling" 889 compare: 890 op: eq 891 value: false 892 set: true 893 remediation: | 894 Edit the Controller Manager pod specification file $controllermanagerconf 895 on the control plane node and set the below parameter. 896 --profiling=false 897 scored: true 898 899 - id: 1.3.3 900 text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)" 901 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 902 tests: 903 test_items: 904 - flag: "--use-service-account-credentials" 905 compare: 906 op: noteq 907 value: false 908 set: true 909 remediation: | 910 Edit the Controller Manager pod specification file $controllermanagerconf 911 on the control plane node to set the below parameter. 912 --use-service-account-credentials=true 913 scored: true 914 915 - id: 1.3.4 916 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" 917 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 918 tests: 919 test_items: 920 - flag: "--service-account-private-key-file" 921 set: true 922 remediation: | 923 Edit the Controller Manager pod specification file $controllermanagerconf 924 on the control plane node and set the --service-account-private-key-file parameter 925 to the private key file for service accounts. 926 --service-account-private-key-file=<filename> 927 scored: true 928 929 - id: 1.3.5 930 text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)" 931 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 932 tests: 933 test_items: 934 - flag: "--root-ca-file" 935 set: true 936 remediation: | 937 Edit the Controller Manager pod specification file $controllermanagerconf 938 on the control plane node and set the --root-ca-file parameter to the certificate bundle file`. 939 --root-ca-file=<path/to/file> 940 scored: true 941 942 - id: 1.3.6 943 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" 944 type: "skip" 945 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 946 tests: 947 bin_op: or 948 test_items: 949 - flag: "--feature-gates" 950 compare: 951 op: nothave 952 value: "RotateKubeletServerCertificate=false" 953 set: true 954 - flag: "--feature-gates" 955 set: false 956 remediation: | 957 Edit the Controller Manager pod specification file $controllermanagerconf 958 on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. 959 --feature-gates=RotateKubeletServerCertificate=true 960 Cluster provisioned by RKE handles certificate rotation directly through RKE. 961 scored: true 962 963 - id: 1.3.7 964 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 965 audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" 966 tests: 967 bin_op: or 968 test_items: 969 - flag: "--bind-address" 970 compare: 971 op: eq 972 value: "127.0.0.1" 973 set: true 974 - flag: "--bind-address" 975 set: false 976 remediation: | 977 Edit the Controller Manager pod specification file $controllermanagerconf 978 on the control plane node and ensure the correct value for the --bind-address parameter 979 scored: true 980 981 - id: 1.4 982 text: "Scheduler" 983 checks: 984 - id: 1.4.1 985 text: "Ensure that the --profiling argument is set to false (Automated)" 986 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 987 tests: 988 test_items: 989 - flag: "--profiling" 990 compare: 991 op: eq 992 value: false 993 set: true 994 remediation: | 995 Edit the Scheduler pod specification file $schedulerconf file 996 on the control plane node and set the below parameter. 997 --profiling=false 998 scored: true 999 1000 - id: 1.4.2 1001 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" 1002 audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" 1003 tests: 1004 bin_op: or 1005 test_items: 1006 - flag: "--bind-address" 1007 compare: 1008 op: eq 1009 value: "127.0.0.1" 1010 set: true 1011 - flag: "--bind-address" 1012 set: false 1013 remediation: | 1014 Edit the Scheduler pod specification file $schedulerconf 1015 on the control plane node and ensure the correct value for the --bind-address parameter 1016 scored: true