github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/integration/testdata/Expected_output_stig.data (about) 1 [INFO] 1 Control Plane Components 2 3 == Summary master == 4 0 checks PASS 5 0 checks FAIL 6 0 checks WARN 7 0 checks INFO 8 9 [INFO] 2 Control Plane Configuration 10 [INFO] 2.1 DISA Category Code I 11 [FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated) 12 [FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated) 13 [INFO] 2.2 DISA Category Code II 14 [WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) 15 [WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual) 16 [WARN] V-242403 Kubernetes API Server must generate audit records (Manual) 17 [WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual) 18 [WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual) 19 [WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual) 20 [WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual) 21 [WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual) 22 [WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual) 23 24 == Remediations controlplane == 25 V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to 26 false. 27 If using executable arguments, edit the kubelet service file 28 $kubeletsvc on each worker node and 29 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 30 --anonymous-auth=false 31 Based on your system, restart the kubelet service. For example: 32 systemctl daemon-reload 33 systemctl restart kubelet.service 34 35 V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates 36 setting with AllAlpha set to "true". 37 Set the flag to "false" or remove the "AllAlpha" setting 38 completely. Restart the kubelet service if the kubelet config file 39 if the kubelet config file is changed. 40 41 V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access 42 to the Kubernetes API server. 43 Modify the configuration of each default service account to include this value 44 automountServiceAccountToken: false 45 46 V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 47 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 48 49 V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 50 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 51 52 V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 53 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 54 55 V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 56 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 57 58 V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 59 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 60 61 V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 62 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 63 64 V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. 65 Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html 66 67 V-242443 Upgrade Kubernetes to a supported version. 68 Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html 69 70 71 == Summary controlplane == 72 0 checks PASS 73 2 checks FAIL 74 9 checks WARN 75 0 checks INFO 76 77 [INFO] 3 Worker Node Security Configuration 78 [INFO] 3.1 DISA Category Code I 79 [WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual) 80 [PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated) 81 [PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated) 82 [FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated) 83 [WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual) 84 [FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated) 85 [PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated) 86 [FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated) 87 [FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated) 88 [WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual) 89 [PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated) 90 [PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated) 91 [PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated) 92 [PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated) 93 [PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated) 94 [WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual) 95 [WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual) 96 [WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual) 97 98 == Remediations node == 99 V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0. 100 If using command line arguments, edit the kubelet service file 101 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and 102 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 103 --read-only-port=0 104 Based on your system, restart the kubelet service. For example: 105 systemctl daemon-reload 106 systemctl restart kubelet.service 107 108 V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath 109 Based on your system, restart the kubelet service. For example, 110 systemctl daemon-reload 111 systemctl restart kubelet.service 112 113 V-242415 Run the following command: 114 kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A 115 If any of the values returned reference environment variables 116 rewrite application code to read secrets from mounted secret files, rather than 117 from environment variables. 118 119 V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true. 120 If using command line arguments, edit the kubelet service file 121 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and 122 set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. 123 --protect-kernel-defaults=true 124 Based on your system, restart the kubelet service. For example: 125 systemctl daemon-reload 126 systemctl restart kubelet.service 127 128 V-242393 To stop the sshd service, run the command: systemctl stop sshd 129 130 V-242394 To disable the sshd service, run the command: 131 chkconfig sshd off 132 133 V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard 134 If any resources are returned, this is a finding. 135 Fix Text: Delete the Kubernetes dashboard deployment with the following command: 136 kubectl delete deployment kubernetes-dashboard --namespace=kube-system 137 138 V-242414 For any of the pods that are using ports below 1024, 139 reconfigure the pod to use a service to map a host non-privileged 140 port to the pod port or reconfigure the image to use non-privileged ports. 141 142 V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command: 143 kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ 144 tr -s '[[:space:]]' '\n' | \ 145 sort | \ 146 uniq -c 147 Review the images used for pods running within Kubernetes. 148 Remove any old pods that are using older images. 149 150 V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. 151 Upgrade the Master and Worker nodes to the latest version of kubectl. 152 153 154 == Summary node == 155 8 checks PASS 156 4 checks FAIL 157 6 checks WARN 158 0 checks INFO 159 160 [INFO] 4 Policies 161 [INFO] 4.1 Policies - DISA Category Code I 162 [WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) 163 [WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual) 164 [WARN] V-242417 Kubernetes must separate user functionality. (Manual) 165 166 == Remediations policies == 167 V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access 168 to the Kubernetes API server. 169 Modify the configuration of each default service account to include this value 170 automountServiceAccountToken: false 171 172 V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. 173 174 V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces. 175 176 177 == Summary policies == 178 0 checks PASS 179 0 checks FAIL 180 3 checks WARN 181 0 checks INFO 182 183 [INFO] 5 Managed Services 184 [INFO] 5.1 DISA Category Code I 185 [INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane 186 [INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane 187 [WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual) 188 [INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane 189 [INFO] 5.2 DISA Category Code II 190 [INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane 191 [INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane 192 [INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane 193 [INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane 194 [INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane 195 [INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane 196 [INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane 197 [INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane 198 [INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane 199 [INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane 200 [INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane 201 [INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane 202 [INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane 203 [INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane 204 [INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane 205 [INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane 206 [INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane 207 [INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane 208 [INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane 209 [INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane 210 [INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane 211 [INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane 212 [INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane 213 [INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane 214 [INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane 215 [INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane 216 [INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane 217 [INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane 218 [INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane 219 [INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane 220 [INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane 221 [INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane 222 [INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane 223 [INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane 224 [INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane 225 [INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane 226 [INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane 227 [INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane 228 [INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane 229 [INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 230 [INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane 231 [INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 232 [INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane 233 [INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane 234 [INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 235 [INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane 236 [INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane 237 [INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 238 [INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 239 [INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane 240 [INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 241 [INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 242 [INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 243 [INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane 244 [INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane 245 [INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane 246 [INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane 247 [INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane 248 [INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane 249 250 == Remediations managedservices == 251 V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook 252 Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html 253 254 255 == Summary managedservices == 256 0 checks PASS 257 0 checks FAIL 258 1 checks WARN 259 62 checks INFO 260 261 == Summary total == 262 8 checks PASS 263 6 checks FAIL 264 19 checks WARN 265 62 checks INFO 266