github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rke2-cis-1.24/node.yaml (about) 1 --- 2 controls: 3 version: "rke2-cis-1.24" 4 id: 4 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 4.1 9 text: "Worker Node Configuration Files" 10 checks: 11 - id: 4.1.1 12 text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)" 13 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' 14 type: "skip" 15 tests: 16 test_items: 17 - flag: "permissions" 18 compare: 19 op: bitmask 20 value: "600" 21 remediation: | 22 Run the below command (based on the file location on your system) on the each worker node. 23 For example, chmod 600 $kubeletsvc 24 scored: true 25 26 - id: 4.1.2 27 text: "Ensure that the kubelet service file ownership is set to root:root (Automated)" 28 audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' ' 29 type: "skip" 30 tests: 31 test_items: 32 - flag: "root:root" 33 set: true 34 remediation: | 35 Run the below command (based on the file location on your system) on the each worker node. 36 For example, 37 chown root:root $kubeletsvc 38 scored: true 39 40 - id: 4.1.3 41 text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)" 42 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' 43 tests: 44 bin_op: or 45 test_items: 46 - flag: "permissions" 47 set: true 48 compare: 49 op: bitmask 50 value: "600" 51 remediation: | 52 Run the below command (based on the file location on your system) on the each worker node. 53 For example, 54 chmod 600 $proxykubeconfig 55 scored: false 56 57 - id: 4.1.4 58 text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)" 59 audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' 60 tests: 61 bin_op: or 62 test_items: 63 - flag: root:root 64 remediation: | 65 Run the below command (based on the file location on your system) on the each worker node. 66 For example, chown root:root $proxykubeconfig 67 scored: false 68 69 - id: 4.1.5 70 text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)" 71 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' 72 tests: 73 test_items: 74 - flag: "600" 75 compare: 76 op: eq 77 value: "600" 78 set: true 79 remediation: | 80 Run the below command (based on the file location on your system) on the each worker node. 81 For example, 82 chmod 600 $kubeletkubeconfig 83 scored: true 84 85 - id: 4.1.6 86 text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)" 87 audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' 88 tests: 89 test_items: 90 - flag: root:root 91 set: true 92 compare: 93 op: eq 94 value: root:root 95 remediation: | 96 Run the below command (based on the file location on your system) on the each worker node. 97 For example, 98 chown root:root $kubeletkubeconfig 99 scored: true 100 101 - id: 4.1.7 102 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" 103 audit: "check_cafile_permissions.sh" 104 tests: 105 test_items: 106 - flag: "permissions" 107 compare: 108 op: bitmask 109 value: "600" 110 set: true 111 remediation: | 112 Run the following command to modify the file permissions of the 113 --client-ca-file chmod 600 <filename> 114 scored: false 115 116 - id: 4.1.8 117 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 118 audit: "check_cafile_ownership.sh" 119 tests: 120 test_items: 121 - flag: root:root 122 compare: 123 op: eq 124 value: root:root 125 remediation: | 126 Run the following command to modify the ownership of the --client-ca-file. 127 chown root:root <filename> 128 scored: false 129 130 - id: 4.1.9 131 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)" 132 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' 133 tests: 134 test_items: 135 - flag: "permissions" 136 compare: 137 op: bitmask 138 value: "600" 139 set: true 140 remediation: | 141 Run the following command (using the config file location identified in the Audit step) 142 chmod 600 $kubeletconf 143 scored: true 144 145 - id: 4.1.10 146 text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)" 147 audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' 148 tests: 149 test_items: 150 - flag: root:root 151 set: true 152 remediation: | 153 Run the following command (using the config file location identified in the Audit step) 154 chown root:root $kubeletconf 155 scored: true 156 157 - id: 4.2 158 text: "Kubelet" 159 checks: 160 - id: 4.2.1 161 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" 162 audit: "/bin/ps -fC $kubeletbin" 163 audit_config: "/bin/cat $kubeletconf" 164 tests: 165 test_items: 166 - flag: "--anonymous-auth" 167 path: '{.authentication.anonymous.enabled}' 168 compare: 169 op: eq 170 value: false 171 remediation: | 172 If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to 173 `false`. 174 If using executable arguments, edit the kubelet service file 175 $kubeletsvc on each worker node and 176 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 177 `--anonymous-auth=false` 178 Based on your system, restart the kubelet service. For example, 179 systemctl daemon-reload 180 systemctl restart kubelet.service 181 scored: true 182 183 - id: 4.2.2 184 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 185 audit: "/bin/ps -fC $kubeletbin" 186 audit_config: "/bin/cat $kubeletconf" 187 tests: 188 test_items: 189 - flag: --authorization-mode 190 path: '{.authorization.mode}' 191 compare: 192 op: nothave 193 value: AlwaysAllow 194 remediation: | 195 If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If 196 using executable arguments, edit the kubelet service file 197 $kubeletsvc on each worker node and 198 set the below parameter in KUBELET_AUTHZ_ARGS variable. 199 --authorization-mode=Webhook 200 Based on your system, restart the kubelet service. For example, 201 systemctl daemon-reload 202 systemctl restart kubelet.service 203 scored: true 204 205 - id: 4.2.3 206 text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)" 207 audit: "/bin/ps -fC $kubeletbin" 208 audit_config: "/bin/cat $kubeletconf" 209 tests: 210 test_items: 211 - flag: --client-ca-file 212 path: '{.authentication.x509.clientCAFile}' 213 remediation: | 214 If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to 215 the location of the client CA file. 216 If using command line arguments, edit the kubelet service file 217 $kubeletsvc on each worker node and 218 set the below parameter in KUBELET_AUTHZ_ARGS variable. 219 --client-ca-file=<path/to/client-ca-file> 220 Based on your system, restart the kubelet service. For example, 221 systemctl daemon-reload 222 systemctl restart kubelet.service 223 scored: true 224 225 - id: 4.2.4 226 text: "Verify that the --read-only-port argument is set to 0 (Manual)" 227 audit: "/bin/ps -fC $kubeletbin" 228 audit_config: "/bin/cat $kubeletconf" 229 tests: 230 bin_op: or 231 test_items: 232 - flag: "--read-only-port" 233 path: '{.readOnlyPort}' 234 compare: 235 op: eq 236 value: 0 237 - flag: "--read-only-port" 238 path: '{.readOnlyPort}' 239 set: false 240 remediation: | 241 If using a Kubelet config file, edit the file to set `readOnlyPort` to 0. 242 If using command line arguments, edit the kubelet service file 243 $kubeletsvc on each worker node and 244 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 245 --read-only-port=0 246 Based on your system, restart the kubelet service. For example, 247 systemctl daemon-reload 248 systemctl restart kubelet.service 249 scored: false 250 251 - id: 4.2.5 252 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 253 audit: "/bin/ps -fC $kubeletbin" 254 audit_config: "/bin/cat $kubeletconf" 255 tests: 256 test_items: 257 - flag: --streaming-connection-idle-timeout 258 path: '{.streamingConnectionIdleTimeout}' 259 compare: 260 op: noteq 261 value: 0 262 - flag: --streaming-connection-idle-timeout 263 path: '{.streamingConnectionIdleTimeout}' 264 set: false 265 bin_op: or 266 remediation: | 267 If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a 268 value other than 0. 269 If using command line arguments, edit the kubelet service file 270 $kubeletsvc on each worker node and 271 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 272 --streaming-connection-idle-timeout=5m 273 Based on your system, restart the kubelet service. For example, 274 systemctl daemon-reload 275 systemctl restart kubelet.service 276 scored: false 277 278 - id: 4.2.6 279 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 280 audit: "/bin/ps -fC $kubeletbin" 281 audit_config: "/bin/cat $kubeletconf" 282 tests: 283 bin_op: or 284 test_items: 285 - flag: --protect-kernel-defaults 286 path: '{.protectKernelDefaults}' 287 compare: 288 op: eq 289 value: true 290 set: true 291 - flag: --protect-kernel-defaults 292 path: '{.protectKernelDefaults}' 293 set: false 294 remediation: | 295 If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`. 296 If using command line arguments, edit the kubelet service file 297 $kubeletsvc on each worker node and 298 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 299 --protect-kernel-defaults=true 300 Based on your system, restart the kubelet service. For example: 301 systemctl daemon-reload 302 systemctl restart kubelet.service 303 scored: true 304 305 - id: 4.2.7 306 text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 307 audit: "/bin/ps -fC $kubeletbin" 308 audit_config: "/bin/cat $kubeletconf" 309 tests: 310 test_items: 311 - flag: --make-iptables-util-chains 312 path: '{.makeIPTablesUtilChains}' 313 compare: 314 op: eq 315 value: true 316 - flag: --make-iptables-util-chains 317 path: '{.makeIPTablesUtilChains}' 318 set: false 319 bin_op: or 320 remediation: | 321 If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`. 322 If using command line arguments, edit the kubelet service file 323 $kubeletsvc on each worker node and 324 remove the --make-iptables-util-chains argument from the 325 KUBELET_SYSTEM_PODS_ARGS variable. 326 Based on your system, restart the kubelet service. For example: 327 systemctl daemon-reload 328 systemctl restart kubelet.service 329 scored: true 330 331 - id: 4.2.8 332 text: "Ensure that the --hostname-override argument is not set (Manual)" 333 # This is one of those properties that can only be set as a command line argument. 334 # To check if the property is set as expected, we need to parse the kubelet command 335 # instead reading the Kubelet Configuration file. 336 audit: "/bin/ps -fC $kubeletbin " 337 tests: 338 test_items: 339 - flag: --hostname-override 340 set: false 341 remediation: | 342 Edit the kubelet service file $kubeletsvc 343 on each worker node and remove the --hostname-override argument from the 344 KUBELET_SYSTEM_PODS_ARGS variable. 345 Based on your system, restart the kubelet service. For example, 346 systemctl daemon-reload 347 systemctl restart kubelet.service 348 scored: false 349 type: skip 350 351 - id: 4.2.9 352 text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" 353 audit: "/bin/ps -fC $kubeletbin" 354 audit_config: "/bin/cat $kubeletconf" 355 tests: 356 test_items: 357 - flag: --event-qps 358 path: '{.eventRecordQPS}' 359 compare: 360 op: eq 361 value: 0 362 remediation: | 363 If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. 364 If using command line arguments, edit the kubelet service file 365 $kubeletsvc on each worker node and 366 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 367 Based on your system, restart the kubelet service. For example, 368 systemctl daemon-reload 369 systemctl restart kubelet.service 370 scored: false 371 372 - id: 4.2.10 373 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 374 audit: "/bin/ps -fC $kubeletbin" 375 audit_config: "/bin/cat $kubeletconf" 376 tests: 377 test_items: 378 - flag: --tls-cert-file 379 path: '{.tlsCertFile}' 380 - flag: --tls-private-key-file 381 path: '{.tlsPrivateKeyFile}' 382 remediation: | 383 If using a Kubelet config file, edit the file to set `tlsCertFile` to the location 384 of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` 385 to the location of the corresponding private key file. 386 If using command line arguments, edit the kubelet service file 387 $kubeletsvc on each worker node and 388 set the below parameters in KUBELET_CERTIFICATE_ARGS variable. 389 --tls-cert-file=<path/to/tls-certificate-file> 390 --tls-private-key-file=<path/to/tls-key-file> 391 Based on your system, restart the kubelet service. For example, 392 systemctl daemon-reload 393 systemctl restart kubelet.service 394 scored: false 395 396 - id: 4.2.11 397 text: "Ensure that the --rotate-certificates argument is not set to false (Automated)" 398 audit: "/bin/ps -fC $kubeletbin" 399 audit_config: "/bin/cat $kubeletconf" 400 tests: 401 test_items: 402 - flag: --rotate-certificates 403 path: '{.rotateCertificates}' 404 compare: 405 op: eq 406 value: true 407 - flag: --rotate-certificates 408 path: '{.rotateCertificates}' 409 set: false 410 bin_op: or 411 remediation: | 412 If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or 413 remove it altogether to use the default value. 414 If using command line arguments, edit the kubelet service file 415 $kubeletsvc on each worker node and 416 remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS 417 variable. 418 Based on your system, restart the kubelet service. For example, 419 systemctl daemon-reload 420 systemctl restart kubelet.service 421 scored: true 422 423 - id: 4.2.12 424 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" 425 audit: "/bin/ps -fC $kubeletbin" 426 audit_config: "/bin/cat $kubeletconf" 427 tests: 428 bin_op: or 429 test_items: 430 - flag: RotateKubeletServerCertificate 431 path: '{.featureGates.RotateKubeletServerCertificate}' 432 compare: 433 op: nothave 434 value: false 435 - flag: RotateKubeletServerCertificate 436 path: '{.featureGates.RotateKubeletServerCertificate}' 437 set: false 438 remediation: | 439 Edit the kubelet service file $kubeletsvc 440 on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. 441 --feature-gates=RotateKubeletServerCertificate=true 442 Based on your system, restart the kubelet service. For example: 443 systemctl daemon-reload 444 systemctl restart kubelet.service 445 scored: false 446 447 - id: 4.2.13 448 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 449 audit: "/bin/ps -fC $kubeletbin" 450 audit_config: "/bin/cat $kubeletconf" 451 tests: 452 test_items: 453 - flag: --tls-cipher-suites 454 path: '{range .tlsCipherSuites[:]}{}{'',''}{end}' 455 compare: 456 op: valid_elements 457 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 458 remediation: | 459 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to 460 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 461 or to a subset of these values. 462 If using executable arguments, edit the kubelet service file 463 $kubeletsvc on each worker node and 464 set the --tls-cipher-suites parameter as follows, or to a subset of these values. 465 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 466 Based on your system, restart the kubelet service. For example: 467 systemctl daemon-reload 468 systemctl restart kubelet.service 469 scored: false