From 30d5506b4a07fb2747dd4356136c732bc027b550 Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Wed, 17 Aug 2022 00:22:29 +0000 Subject: [PATCH 1/5] Adding eks-stig-kubernetes-v1r6 --- CONTRIBUTING.md | 1 + cfg/config.yaml | 6 + cfg/eks-stig-kubernetes-v1r6/config.yaml | 9 + .../controlplane.yaml | 85 +++++ .../managedservices.yaml | 267 +++++++++++++ cfg/eks-stig-kubernetes-v1r6/master.yaml | 8 + cfg/eks-stig-kubernetes-v1r6/node.yaml | 350 ++++++++++++++++++ cfg/eks-stig-kubernetes-v1r6/policies.yaml | 34 ++ docs/architecture.md | 6 + docs/platforms.md | 6 +- docs/running.md | 27 +- hack/kind-stig.test.yaml | 56 +++ hack/kind-stig.yaml | 56 +++ .../testdata/Expected_output_stig.data | 248 +++++++++++++ job-eks-stig.yaml | 43 +++ makefile | 12 + 16 files changed, 1212 insertions(+), 2 deletions(-) create mode 100644 cfg/eks-stig-kubernetes-v1r6/config.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/controlplane.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/managedservices.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/master.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/node.yaml create mode 100644 cfg/eks-stig-kubernetes-v1r6/policies.yaml create mode 100644 hack/kind-stig.test.yaml create mode 100644 hack/kind-stig.yaml create mode 100644 integration/testdata/Expected_output_stig.data create mode 100644 job-eks-stig.yaml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 66c3e17c7..f4b6f1eb5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -77,3 +77,4 @@ Finally, we can use the `make kind-run` target to run the current version of kub Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` ) +To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig` diff --git a/cfg/config.yaml b/cfg/config.yaml index fcb8bd84c..fbcfd8448 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -324,3 +324,9 @@ target_mapping: - "controlplane" - "policies" - "etcd" + "eks-stig-kubernetes-v1r6": + - "node" + - "controlplane" + - "policies" + - "managedservices" + \ No newline at end of file diff --git a/cfg/eks-stig-kubernetes-v1r6/config.yaml b/cfg/eks-stig-kubernetes-v1r6/config.yaml new file mode 100644 index 000000000..17301a751 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/config.yaml @@ -0,0 +1,9 @@ +--- +## Version-specific settings that override the values in cfg/config.yaml +## These settings are required if you are using the --asff option to report findings to AWS Security Hub +## AWS account number is required. +AWS_ACCOUNT: "" +## AWS region is required. +AWS_REGION: "" +## EKS Cluster ARN is required. +CLUSTER_ARN: "" diff --git a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml new file mode 100644 index 000000000..aa5a3ec30 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml @@ -0,0 +1,85 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 2 +text: "Control Plane Configuration" +type: "controlplane" +groups: + - id: 2.2 + text: "DISA Category Code II" + checks: + - id: V-242381 + text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)" + type: "manual" + remediation: | + Create explicit service accounts wherever a Kubernetes workload requires specific access + to the Kubernetes API server. + Modify the configuration of each default service account to include this value + automountServiceAccountToken: false + scored: false + + - id: V-242402 + text: "Enable audit logs (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: V-242403 + text: "Enable audit logs (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: V-242461 + text: "Kubernetes API Server audit logs must be enabled. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: V-242462 + text: "The Kubernetes API Server must be set to audit log max size. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: V-242463 + text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: V-242464 + text: "The Kubernetes API Server audit log retention must be set. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: V-242465 + text: "The Kubernetes API Server audit log path must be set. (Manual)" + type: "manual" + remediation: | + Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + scored: false + + - id: 2.2 + text: "DISA Category Code II" + checks: + - id: V-242443 + text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)" + type: "manual" + remediation: | + Upgrade Kubernetes to a supported version. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html \ No newline at end of file diff --git a/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml new file mode 100644 index 000000000..4fd3afe17 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml @@ -0,0 +1,267 @@ +controls: +version: "eks-stig-kubernetes-v1r6" +id: 5 +text: "Managed Services" +type: "managedservices" +groups: + - id: 5.1 + text: "DISA Category Code I" + checks: + - id: V-242386 + text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane" + type: "skip" + + - id: V-242388 + text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane" + type: "skip" + + - id: V-242436 + text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)" + type: "manual" + remediation: | + Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook + Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html + scored: false + + - id: V-245542 + text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane" + type: "skip" + + - id: 5.2 + text: "DISA Category Code II" + checks: + - id: V-242376 + text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane" + type: "skip" + + - id: V-242377 + text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane" + type: "skip" + + - id: V-242378 + text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane" + type: "skip" + + - id: V-242379 + text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane" + type: "skip" + + - id: V-242380 + text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane" + type: "skip" + + - id: V-242382 + text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane" + type: "skip" + + - id: V-242384 + text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane" + type: "skip" + + - id: V-242385 + text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane" + type: "skip" + + - id: V-242389 + text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane" + type: "skip" + + - id: V-242401 + text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane" + type: "skip" + + - id: V-242402 + text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane" + type: "skip" + + - id: V-242403 + text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane" + type: "skip" + + - id: V-242405 + text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242408 + text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane" + type: "skip" + + - id: V-242409 + text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane" + type: "skip" + + - id: V-242410 + text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242411 + text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242412 + text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242413 + text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane" + type: "skip" + + - id: V-242418 + text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane" + type: "skip" + + - id: V-242419 + text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242420 + text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242421 + text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242422 + text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242423 + text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242424 + text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242425 + text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242426 + text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane" + type: "skip" + + - id: V-242427 + text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242428 + text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242429 + text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane" + type: "skip" + + - id: V-242430 + text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242431 + text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242432 + text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242433 + text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane" + type: "skip" + + - id: V-242438 + text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane" + type: "skip" + + - id: V-242444 + text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242445 + text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane" + type: "skip" + + - id: V-242446 + text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242447 + text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242448 + text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242449 + text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242450 + text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242451 + text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242452 + text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242453 + text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242454 + text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242455 + text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242456 + text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242457 + text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane" + type: "skip" + + - id: V-242458 + text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242459 + text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242460 + text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242466 + text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242467 + text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane" + type: "skip" + + - id: V-242468 + text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane" + type: "skip" + + - id: V-245541 + text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane" + type: "skip" + + - id: V-245543 + text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane" + type: "skip" + + - id: V-245544 + text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane" + type: "skip" diff --git a/cfg/eks-stig-kubernetes-v1r6/master.yaml b/cfg/eks-stig-kubernetes-v1r6/master.yaml new file mode 100644 index 000000000..a10898328 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/master.yaml @@ -0,0 +1,8 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 1 +text: "Control Plane Components" +type: "master" + + \ No newline at end of file diff --git a/cfg/eks-stig-kubernetes-v1r6/node.yaml b/cfg/eks-stig-kubernetes-v1r6/node.yaml new file mode 100644 index 000000000..c431460f0 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/node.yaml @@ -0,0 +1,350 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 3 +text: "Worker Node Security Configuration" +type: "node" +groups: + - id: 3.1 + text: "DISA Category Code I" + checks: + - id: V-242387 #CIS 3.2.4 + text: "Ensure that the --read-only-port argument is set to 0 (Manual)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--read-only-port" + path: '{.readOnlyPort}' + set: true + compare: + op: eq + value: 0 + remediation: | + If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0. + If using command line arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --read-only-port=0 + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: false + + - id: V-242390 + text: "Ensure that the --anonymous-auth argument is set to false (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--anonymous-auth" + path: '{.authentication.anonymous.enabled}' + set: true + compare: + op: eq + value: false + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to + false. + If using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --anonymous-auth=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242391 #CIS 3.2.1 + text: "Ensure that the --anonymous-auth argument is set to false (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--anonymous-auth" + path: '{.authentication.anonymous.enabled}' + set: true + compare: + op: eq + value: false + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to + false. + If using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --anonymous-auth=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242392 #CIS 3.2.2 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: --authorization-mode + path: '{.authorization.mode}' + set: true + compare: + op: nothave + value: AlwaysAllow + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If + using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_AUTHZ_ARGS variable. + --authorization-mode=Webhook + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242397 + text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - path: '{.staticPodPath}' + set: false + remediation: | + Edit $kubeletconf on each node to to remove the staticPodPath + Based on your system, restart the kubelet service. For example, + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242415 + text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)" + type: "manual" + remediation: | + Run the following command: + kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A + If any of the values returned reference environment variables + rewrite application code to read secrets from mounted secret files, rather than + from environment variables. + scored: false + + - id: V-242434 #CIS 3.2.6 + text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: --protect-kernel-defaults + path: '{.protectKernelDefaults}' + set: true + compare: + op: eq + value: true + remediation: | + If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true. + If using command line arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --protect-kernel-defaults=true + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242435 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: --authorization-mode + path: '{.authorization.mode}' + set: true + compare: + op: nothave + value: AlwaysAllow + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If + using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_AUTHZ_ARGS variable. + --authorization-mode=Webhook + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242393 + text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)" + audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' ' + tests: + test_items: + - flag: ActiveState + compare: + op: eq + value: inactive + remediation: | + To stop the sshd service, run the command: systemctl stop sshd + scored: true + + - id: V-242394 + text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)" + audit: "/bin/sh -c 'systemctl is-enabled sshd.service'" + tests: + test_items: + - flag: "disabled" + remediation: | + To disable the sshd service, run the command: + chkconfig sshd off + scored: true + + - id: V-242395 + text: "Kubernetes dashboard must not be enabled. (Manual)" + type: "manual" + remediation: | + Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard + If any resources are returned, this is a finding. + Fix Text: Delete the Kubernetes dashboard deployment with the following command: + kubectl delete deployment kubernetes-dashboard --namespace=kube-system + scored: false + + - id: V-242398 + text: "Kubernetes DynamicAuditing must not be enabled. (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "DynamicAuditing=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or kubelet config files that contain the feature-gates + setting with DynamicAuditing set to "true". + Set the flag to "false" or remove the "DynamicAuditing" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true + + - id: V-242399 + text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "DynamicKubeletConfig=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with DynamicKubeletConfig set to "true". + Set the flag to "false" or remove the "DynamicKubeletConfig" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true + + - id: V-242400 + text: "The Kubernetes API server must have Alpha APIs disabled (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "AllAlpha=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with AllAlpha set to "true". + Set the flag to "false" or remove the "AllAlpha" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true + + - id: V-242404 #CIS 3.2.8 + text: "Ensure that the --hostname-override argument is not set (Automated)" + # This is one of those properties that can only be set as a command line argument. + # To check if the property is set as expected, we need to parse the kubelet command + # instead reading the Kubelet Configuration file. + audit: "/bin/ps -fC $kubeletbin " + tests: + test_items: + - flag: --hostname-override + set: false + remediation: | + Edit the kubelet service file $kubeletbin + on each worker node and remove the --hostname-override argument from the + KUBELET_SYSTEM_PODS_ARGS variable. + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: V-242406 + text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)" + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' + tests: + test_items: + - flag: root:root + remediation: | + Run the below command (based on the file location on your system) on the each worker node. + For example, + chown root:root $kubeletkubeconfig + scored: true + + - id: V-242407 + text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)" + audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" + remediation: | + Run the following command (using the config file location identified in the Audit step) + chmod 644 $kubeletconf + scored: true + + - id: V-242414 + text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)" + type: "manual" + remediation: | + For any of the pods that are using ports below 1024, + reconfigure the pod to use a service to map a host non-privileged + port to the pod port or reconfigure the image to use non-privileged ports. + scored: false + + - id: V-242442 + text: "Kubernetes must remove old components after updated versions have been installed. (Manual)" + type: "manual" + remediation: | + To view all pods and the images used to create the pods, from the Master node, run the following command: + kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ + tr -s '[[:space:]]' '\n' | \ + sort | \ + uniq -c + Review the images used for pods running within Kubernetes. + Remove any old pods that are using older images. + scored: false + + - id: V-242396 + text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)" + type: "manual" + remediation: | + If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. + Upgrade the Master and Worker nodes to the latest version of kubectl. + scored: false \ No newline at end of file diff --git a/cfg/eks-stig-kubernetes-v1r6/policies.yaml b/cfg/eks-stig-kubernetes-v1r6/policies.yaml new file mode 100644 index 000000000..39b0a3d20 --- /dev/null +++ b/cfg/eks-stig-kubernetes-v1r6/policies.yaml @@ -0,0 +1,34 @@ +--- +controls: +version: "eks-stig-kubernetes-v1r6" +id: 4 +text: "Policies" +type: "policies" +groups: + - id: 4.1 + text: "Policies - DISA Category Code I" + checks: + - id: V-242381 + text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)" + type: "manual" + remediation: | + Create explicit service accounts wherever a Kubernetes workload requires specific access + to the Kubernetes API server. + Modify the configuration of each default service account to include this value + automountServiceAccountToken: false + scored: false + + - id: V-242383 + text: "User-managed resources must be created in dedicated namespaces. (Manual)" + type: "manual" + remediation: | + Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. + scored: false + + - id: V-242417 + text: "Kubernetes must separate user functionality. (Manual)" + type: "manual" + remediation: | + Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces. + scored: false + \ No newline at end of file diff --git a/docs/architecture.md b/docs/architecture.md index 18370634e..b423a71ac 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -27,4 +27,10 @@ The following table shows the valid targets based on the CIS Benchmark version. | rh-0.7 | master,node| | rh-1.0 | master, controlplane, node, etcd, policies | +The following table shows the valid DISA STIG versions + +| STIG | Targets | +|----------------------------|---------| +| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices | + diff --git a/docs/platforms.md b/docs/platforms.md index 0883eed71..8d4e3d7eb 100644 --- a/docs/platforms.md +++ b/docs/platforms.md @@ -2,7 +2,10 @@ ## CIS Kubernetes Benchmark support kube-bench supports running tests for Kubernetes. -Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). +Most of our supported benchmarks are defined in one of the following: + [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/) + [STIG Document Library](https://public.cyber.mil/stigs/downloads) + Some defined by other hardenening guides. | Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions | @@ -18,3 +21,4 @@ Some defined by other hardenening guides. | CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS | | RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | | CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- | +| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS | diff --git a/docs/running.md b/docs/running.md index 04af7bb50..11b37d61c 100644 --- a/docs/running.md +++ b/docs/running.md @@ -77,7 +77,7 @@ docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install ``` kube-bench cannot be run on AKS master nodes -### Running in an EKS cluster +### Running CIS benchmark in an EKS cluster There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed @@ -103,6 +103,31 @@ docker push .dkr.ecr..amazonaws.com/k8s/kube-bench: 8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-` - You can save the report for later reference: `kubectl logs kube-bench- > kube-bench-report.txt` +### Running DISA STIG in an EKS cluster + +There is a `job-eks-stig.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed + +1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide* + - Information on configuring `eksctl`, `kubectl` and the AWS CLI is within +2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image +``` +aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE +``` +3. Download, build and push the kube-bench container image to your ECR repo +``` +git clone https://github.com/aquasecurity/kube-bench.git +cd kube-bench +aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com +docker build -t k8s/kube-bench . +docker tag k8s/kube-bench:latest .dkr.ecr..amazonaws.com/k8s/kube-bench:latest +docker push .dkr.ecr..amazonaws.com/k8s/kube-bench:latest +``` +4. Copy the URI of your pushed image, the URI format is like this: `.dkr.ecr..amazonaws.com/k8s/kube-bench:latest` +5. Replace the `image` value in `job-eks-stig.yaml` with the URI from Step 4 +6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks-stig.yaml` +7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces` +8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-` + - You can save the report for later reference: `kubectl logs kube-bench- > kube-bench-report.txt` ### Running on OpenShift diff --git a/hack/kind-stig.test.yaml b/hack/kind-stig.test.yaml new file mode 100644 index 000000000..102eb3f21 --- /dev/null +++ b/hack/kind-stig.test.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + metadata: + labels: + app: kube-bench + spec: + hostPID: true + containers: + - name: kube-bench + image: docker.io/aquasec/kube-bench:5c76890 + command: [ + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + - name: etc-systemd + mountPath: /etc/systemd + - name: etc-kubernetes + mountPath: /etc/kubernetes + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + - name: kind-bin + mountPath: /kind/bin + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" + - name: kind-bin + hostPath: + path: "/kind/bin" diff --git a/hack/kind-stig.yaml b/hack/kind-stig.yaml new file mode 100644 index 000000000..314aba860 --- /dev/null +++ b/hack/kind-stig.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + metadata: + labels: + app: kube-bench + spec: + hostPID: true + containers: + - name: kube-bench + image: docker.io/aquasec/kube-bench:${VERSION} + command: [ + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + - name: etc-systemd + mountPath: /etc/systemd + - name: etc-kubernetes + mountPath: /etc/kubernetes + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + - name: kind-bin + mountPath: /kind/bin + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" + - name: kind-bin + hostPath: + path: "/kind/bin" diff --git a/integration/testdata/Expected_output_stig.data b/integration/testdata/Expected_output_stig.data new file mode 100644 index 000000000..70262a155 --- /dev/null +++ b/integration/testdata/Expected_output_stig.data @@ -0,0 +1,248 @@ +[INFO] 1 Control Plane Components + +== Summary master == +0 checks PASS +0 checks FAIL +0 checks WARN +0 checks INFO + +[INFO] 2 Control Plane Configuration +[INFO] 2.2 DISA Category Code II +[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) +[WARN] V-242402 Enable audit logs (Manual) +[WARN] V-242403 Enable audit logs (Manual) +[WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual) +[WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual) +[WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual) +[WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual) +[WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual) +[WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual) + +== Remediations controlplane == +V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access +to the Kubernetes API server. +Modify the configuration of each default service account to include this value +automountServiceAccountToken: false + +V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + +V-242443 Upgrade Kubernetes to a supported version. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html + +== Summary controlplane == +0 checks PASS +0 checks FAIL +9 checks WARN +0 checks INFO + +[INFO] 3 Worker Node Security Configuration +[INFO] 3.1 DISA Category Code I +[WARN] V-242387 Ensure that the --read-only-port argument is set to 0 (Manual) +[PASS] V-242390 Ensure that the --anonymous-auth argument is set to false (Automated) +[PASS] V-242391 Ensure that the --anonymous-auth argument is set to false (Automated) +[PASS] V-242392 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) +[FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated) +[WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual) +[FAIL] V-242434 Ensure that the --protect-kernel-defaults argument is set to true (Automated) +[PASS] V-242435 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) +[FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated) +[FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated) +[WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual) +[PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated) +[PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated) +[PASS] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated) +[PASS] V-242404 Ensure that the --hostname-override argument is not set (Automated) +[PASS] V-242406 Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated) +[PASS] V-242407 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated) +[WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual) +[WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual) +[WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual) + +== Remediations node == +V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0. +If using command line arguments, edit the kubelet service file +/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and +set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. +--read-only-port=0 +Based on your system, restart the kubelet service. For example: +systemctl daemon-reload +systemctl restart kubelet.service + +V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath +Based on your system, restart the kubelet service. For example, +systemctl daemon-reload +systemctl restart kubelet.service + +V-242415 Run the following command: +kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A +If any of the values returned reference environment variables +rewrite application code to read secrets from mounted secret files, rather than +from environment variables. + +V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true. +If using command line arguments, edit the kubelet service file +/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and +set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. +--protect-kernel-defaults=true +Based on your system, restart the kubelet service. For example: +systemctl daemon-reload +systemctl restart kubelet.service + +V-242393 To stop the sshd service, run the command: systemctl stop sshd + +V-242394 To disable the sshd service, run the command: + chkconfig sshd off + +V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard +If any resources are returned, this is a finding. +Fix Text: Delete the Kubernetes dashboard deployment with the following command: + kubectl delete deployment kubernetes-dashboard --namespace=kube-system + +V-242414 For any of the pods that are using ports below 1024, +reconfigure the pod to use a service to map a host non-privileged +port to the pod port or reconfigure the image to use non-privileged ports. + +V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command: + kubectl get pods --all-namespaces -o jsonpath="{..image}" | \ + tr -s '[[:space:]]' '\n' | \ + sort | \ + uniq -c + Review the images used for pods running within Kubernetes. + Remove any old pods that are using older images. + +V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. +Upgrade the Master and Worker nodes to the latest version of kubectl. + + +== Summary node == +10 checks PASS +4 checks FAIL +6 checks WARN +0 checks INFO + +[INFO] 4 Policies +[INFO] 4.1 Policies - DISA Category Code I +[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) +[WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual) +[WARN] V-242417 Kubernetes must separate user functionality. (Manual) + +== Remediations policies == +V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access +to the Kubernetes API server. +Modify the configuration of each default service account to include this value +automountServiceAccountToken: false + +V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. + +V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces. + + +== Summary policies == +0 checks PASS +0 checks FAIL +3 checks WARN +0 checks INFO + +[INFO] 5 Managed Services +[INFO] 5.1 DISA Category Code I +[INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane +[INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane +[WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual) +[INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane +[INFO] 5.2 DISA Category Code II +[INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane +[INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane +[INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane +[INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane +[INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane +[INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane +[INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane +[INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane +[INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane +[INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane +[INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane +[INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane +[INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane +[INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane +[INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane +[INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane +[INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane +[INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane +[INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane +[INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane +[INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane +[INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane +[INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane +[INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane +[INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane +[INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane +[INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane +[INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane +[INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane +[INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane +[INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane +[INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane +[INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane +[INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane +[INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane +[INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane +[INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane +[INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane +[INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane +[INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane +[INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane +[INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane +[INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane +[INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane +[INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane + +== Remediations managedservices == +V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook +Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html + + +== Summary managedservices == +0 checks PASS +0 checks FAIL +1 checks WARN +62 checks INFO + +== Summary total == +10 checks PASS +4 checks FAIL +19 checks WARN +62 checks INFO + diff --git a/job-eks-stig.yaml b/job-eks-stig.yaml new file mode 100644 index 000000000..65ce5dc9a --- /dev/null +++ b/job-eks-stig.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench +spec: + template: + spec: + hostPID: true + containers: + - name: kube-bench + # Push the image to your ECR and then refer to it here + # image: + image: docker.io/aquasec/kube-bench:latest + # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead + command: + [ + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] + volumeMounts: + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" diff --git a/makefile b/makefile index c60705692..61b5b54e9 100644 --- a/makefile +++ b/makefile @@ -78,3 +78,15 @@ kind-run: kind-push kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \ kubectl logs job/kube-bench > ./test.data && \ diff ./test.data integration/testdata/Expected_output.data + +kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench" +kind-run-stig: kind-push + sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml + kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG) + -KUBECONFIG=$(KUBECONFIG) \ + kubectl delete job kube-bench + KUBECONFIG=$(KUBECONFIG) \ + kubectl apply -f ./hack/kind-stig.test.yaml && \ + kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \ + kubectl logs job/kube-bench > ./test.data && \ + diff ./test.data integration/testdata/Expected_output_stig.data From 836e6f8e5211de822d97af1518559044002a83dd Mon Sep 17 00:00:00 2001 From: Chris Renzo <86670002+crenzoaws@users.noreply.github.com> Date: Wed, 7 Sep 2022 14:24:42 +0000 Subject: [PATCH 2/5] Fixing lint errors --- cfg/config.yaml | 1 - .../controlplane.yaml | 36 +++----- .../managedservices.yaml | 5 +- cfg/eks-stig-kubernetes-v1r6/master.yaml | 2 - cfg/eks-stig-kubernetes-v1r6/node.yaml | 87 ++++++++----------- cfg/eks-stig-kubernetes-v1r6/policies.yaml | 7 +- hack/kind-stig.test.yaml | 10 +-- hack/kind-stig.yaml | 10 +-- 8 files changed, 64 insertions(+), 94 deletions(-) diff --git a/cfg/config.yaml b/cfg/config.yaml index fbcfd8448..bb0e5f3ce 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -329,4 +329,3 @@ target_mapping: - "controlplane" - "policies" - "managedservices" - \ No newline at end of file diff --git a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml index aa5a3ec30..6d59aac77 100644 --- a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml @@ -17,63 +17,55 @@ groups: Modify the configuration of each default service account to include this value automountServiceAccountToken: false scored: false - - id: V-242402 text: "Enable audit logs (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html scored: false - - id: V-242403 text: "Enable audit logs (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html scored: false - - id: V-242461 text: "Kubernetes API Server audit logs must be enabled. (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html - scored: false - + scored: false - id: V-242462 text: "The Kubernetes API Server must be set to audit log max size. (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html - scored: false - + scored: false - id: V-242463 text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html - scored: false - + scored: false - id: V-242464 text: "The Kubernetes API Server audit log retention must be set. (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html - scored: false - + scored: false - id: V-242465 text: "The Kubernetes API Server audit log path must be set. (Manual)" - type: "manual" + type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html - scored: false - + scored: false - id: 2.2 text: "DISA Category Code II" checks: @@ -81,5 +73,5 @@ groups: text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)" type: "manual" remediation: | - Upgrade Kubernetes to a supported version. - Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html \ No newline at end of file + Upgrade Kubernetes to a supported version. + Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html diff --git a/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml index 4fd3afe17..23c4eaa9f 100644 --- a/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml @@ -1,3 +1,4 @@ +--- controls: version: "eks-stig-kubernetes-v1r6" id: 5 @@ -20,9 +21,9 @@ groups: type: "manual" remediation: | Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook - Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html + Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html scored: false - + - id: V-245542 text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane" type: "skip" diff --git a/cfg/eks-stig-kubernetes-v1r6/master.yaml b/cfg/eks-stig-kubernetes-v1r6/master.yaml index a10898328..8152a1abc 100644 --- a/cfg/eks-stig-kubernetes-v1r6/master.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/master.yaml @@ -4,5 +4,3 @@ version: "eks-stig-kubernetes-v1r6" id: 1 text: "Control Plane Components" type: "master" - - \ No newline at end of file diff --git a/cfg/eks-stig-kubernetes-v1r6/node.yaml b/cfg/eks-stig-kubernetes-v1r6/node.yaml index c431460f0..2335cc45d 100644 --- a/cfg/eks-stig-kubernetes-v1r6/node.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/node.yaml @@ -8,7 +8,7 @@ groups: - id: 3.1 text: "DISA Category Code I" checks: - - id: V-242387 #CIS 3.2.4 + - id: V-242387 # CIS 3.2.4 text: "Ensure that the --read-only-port argument is set to 0 (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" @@ -29,8 +29,7 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: false - + scored: false - id: V-242390 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" audit: "/bin/ps -fC $kubeletbin" @@ -53,9 +52,8 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true - - - id: V-242391 #CIS 3.2.1 + scored: true + - id: V-242391 # CIS 3.2.1 text: "Ensure that the --anonymous-auth argument is set to false (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" @@ -77,9 +75,8 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true - - - id: V-242392 #CIS 3.2.2 + scored: true + - id: V-242392 # CIS 3.2.2 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" @@ -100,8 +97,7 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true - + scored: true - id: V-242397 text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)" audit: "/bin/ps -fC $kubeletbin" @@ -116,19 +112,17 @@ groups: systemctl daemon-reload systemctl restart kubelet.service scored: true - - id: V-242415 text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)" type: "manual" remediation: | Run the following command: kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A - If any of the values returned reference environment variables + If any of the values returned reference environment variables rewrite application code to read secrets from mounted secret files, rather than from environment variables. - scored: false - - - id: V-242434 #CIS 3.2.6 + scored: false + - id: V-242434 # CIS 3.2.6 text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" @@ -150,7 +144,6 @@ groups: systemctl daemon-reload systemctl restart kubelet.service scored: true - - id: V-242435 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" audit: "/bin/ps -fC $kubeletbin" @@ -173,7 +166,6 @@ groups: systemctl daemon-reload systemctl restart kubelet.service scored: true - - id: V-242393 text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)" audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' ' @@ -185,8 +177,7 @@ groups: value: inactive remediation: | To stop the sshd service, run the command: systemctl stop sshd - scored: true - + scored: true - id: V-242394 text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)" audit: "/bin/sh -c 'systemctl is-enabled sshd.service'" @@ -197,7 +188,6 @@ groups: To disable the sshd service, run the command: chkconfig sshd off scored: true - - id: V-242395 text: "Kubernetes dashboard must not be enabled. (Manual)" type: "manual" @@ -206,8 +196,7 @@ groups: If any resources are returned, this is a finding. Fix Text: Delete the Kubernetes dashboard deployment with the following command: kubectl delete deployment kubernetes-dashboard --namespace=kube-system - scored: false - + scored: false - id: V-242398 text: "Kubernetes DynamicAuditing must not be enabled. (Automated)" audit: "/bin/ps -fC $kubeletbin" @@ -223,14 +212,13 @@ groups: - flag: "--feature-gates" set: false remediation: | - Edit any manifest files or kubelet config files that contain the feature-gates - setting with DynamicAuditing set to "true". - Set the flag to "false" or remove the "DynamicAuditing" setting - completely. Restart the kubelet service if the kubelet config file + Edit any manifest files or kubelet config files that contain the feature-gates + setting with DynamicAuditing set to "true". + Set the flag to "false" or remove the "DynamicAuditing" setting + completely. Restart the kubelet service if the kubelet config file if the kubelet config file is changed. scored: true - - - id: V-242399 + - id: V-242399 text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" @@ -245,13 +233,12 @@ groups: - flag: "--feature-gates" set: false remediation: | - Edit any manifest files or $kubeletconf that contain the feature-gates - setting with DynamicKubeletConfig set to "true". - Set the flag to "false" or remove the "DynamicKubeletConfig" setting - completely. Restart the kubelet service if the kubelet config file + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with DynamicKubeletConfig set to "true". + Set the flag to "false" or remove the "DynamicKubeletConfig" setting + completely. Restart the kubelet service if the kubelet config file if the kubelet config file is changed. scored: true - - id: V-242400 text: "The Kubernetes API server must have Alpha APIs disabled (Automated)" audit: "/bin/ps -fC $kubeletbin" @@ -267,14 +254,13 @@ groups: - flag: "--feature-gates" set: false remediation: | - Edit any manifest files or $kubeletconf that contain the feature-gates - setting with AllAlpha set to "true". - Set the flag to "false" or remove the "AllAlpha" setting - completely. Restart the kubelet service if the kubelet config file + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with AllAlpha set to "true". + Set the flag to "false" or remove the "AllAlpha" setting + completely. Restart the kubelet service if the kubelet config file if the kubelet config file is changed. - scored: true - - - id: V-242404 #CIS 3.2.8 + scored: true + - id: V-242404 # CIS 3.2.8 text: "Ensure that the --hostname-override argument is not set (Automated)" # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command @@ -291,8 +277,7 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true - + scored: true - id: V-242406 text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)" audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' @@ -303,8 +288,7 @@ groups: Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $kubeletkubeconfig - scored: true - + scored: true - id: V-242407 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' @@ -318,16 +302,14 @@ groups: Run the following command (using the config file location identified in the Audit step) chmod 644 $kubeletconf scored: true - - id: V-242414 text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)" type: "manual" remediation: | - For any of the pods that are using ports below 1024, - reconfigure the pod to use a service to map a host non-privileged + For any of the pods that are using ports below 1024, + reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports. - scored: false - + scored: false - id: V-242442 text: "Kubernetes must remove old components after updated versions have been installed. (Manual)" type: "manual" @@ -338,13 +320,12 @@ groups: sort | \ uniq -c Review the images used for pods running within Kubernetes. - Remove any old pods that are using older images. + Remove any old pods that are using older images. scored: false - - id: V-242396 text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)" type: "manual" remediation: | If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. Upgrade the Master and Worker nodes to the latest version of kubectl. - scored: false \ No newline at end of file + scored: false diff --git a/cfg/eks-stig-kubernetes-v1r6/policies.yaml b/cfg/eks-stig-kubernetes-v1r6/policies.yaml index 39b0a3d20..e91eacc4f 100644 --- a/cfg/eks-stig-kubernetes-v1r6/policies.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/policies.yaml @@ -17,18 +17,17 @@ groups: Modify the configuration of each default service account to include this value automountServiceAccountToken: false scored: false - + - id: V-242383 text: "User-managed resources must be created in dedicated namespaces. (Manual)" type: "manual" remediation: | Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. scored: false - + - id: V-242417 text: "Kubernetes must separate user functionality. (Manual)" type: "manual" remediation: | Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces. - scored: false - \ No newline at end of file + scored: false diff --git a/hack/kind-stig.test.yaml b/hack/kind-stig.test.yaml index 102eb3f21..008bc9b38 100644 --- a/hack/kind-stig.test.yaml +++ b/hack/kind-stig.test.yaml @@ -14,11 +14,11 @@ spec: - name: kube-bench image: docker.io/aquasec/kube-bench:5c76890 command: [ - "kube-bench", - "run", - "--benchmark", - "eks-stig-kubernetes-v1r6", - ] + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd diff --git a/hack/kind-stig.yaml b/hack/kind-stig.yaml index 314aba860..3b1ab69d5 100644 --- a/hack/kind-stig.yaml +++ b/hack/kind-stig.yaml @@ -14,11 +14,11 @@ spec: - name: kube-bench image: docker.io/aquasec/kube-bench:${VERSION} command: [ - "kube-bench", - "run", - "--benchmark", - "eks-stig-kubernetes-v1r6", - ] + "kube-bench", + "run", + "--benchmark", + "eks-stig-kubernetes-v1r6", + ] volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd From 997d0d4d9772ae3178af9ffd6600a472cb2f11e7 Mon Sep 17 00:00:00 2001 From: Chris Renzo <86670002+crenzoaws@users.noreply.github.com> Date: Mon, 12 Sep 2022 17:23:15 +0000 Subject: [PATCH 3/5] Reformatting texts --- .../controlplane.yaml | 51 +++++++++++++++- cfg/eks-stig-kubernetes-v1r6/node.yaml | 60 +++---------------- 2 files changed, 57 insertions(+), 54 deletions(-) diff --git a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml index 6d59aac77..cc3815974 100644 --- a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml @@ -5,6 +5,53 @@ id: 2 text: "Control Plane Configuration" type: "controlplane" groups: + - id: 2.1 + text: "DISA Category Code I" + checks: + - id: V-242390 + text: "The Kubernetes API server must have anonymous authentication disabled (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + test_items: + - flag: "--anonymous-auth" + path: '{.authentication.anonymous.enabled}' + set: true + compare: + op: eq + value: false + remediation: | + If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to + false. + If using executable arguments, edit the kubelet service file + $kubeletsvc on each worker node and + set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --anonymous-auth=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + - id: V-242400 + text: "The Kubernetes API server must have Alpha APIs disabled (Automated)" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" + tests: + bin_op: or + test_items: + - flag: "--feature-gates" + compare: + op: nothave + value: "AllAlpha=true" + set: true + - flag: "--feature-gates" + set: false + remediation: | + Edit any manifest files or $kubeletconf that contain the feature-gates + setting with AllAlpha set to "true". + Set the flag to "false" or remove the "AllAlpha" setting + completely. Restart the kubelet service if the kubelet config file + if the kubelet config file is changed. + scored: true - id: 2.2 text: "DISA Category Code II" checks: @@ -18,14 +65,14 @@ groups: automountServiceAccountToken: false scored: false - id: V-242402 - text: "Enable audit logs (Manual)" + text: "The Kubernetes API Server must have an audit log path set (Manual)" type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html scored: false - id: V-242403 - text: "Enable audit logs (Manual)" + text: "Kubernetes API Server must generate audit records (Manual)" type: "manual" remediation: | Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. diff --git a/cfg/eks-stig-kubernetes-v1r6/node.yaml b/cfg/eks-stig-kubernetes-v1r6/node.yaml index 2335cc45d..960912411 100644 --- a/cfg/eks-stig-kubernetes-v1r6/node.yaml +++ b/cfg/eks-stig-kubernetes-v1r6/node.yaml @@ -9,7 +9,7 @@ groups: text: "DISA Category Code I" checks: - id: V-242387 # CIS 3.2.4 - text: "Ensure that the --read-only-port argument is set to 0 (Manual)" + text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -30,31 +30,8 @@ groups: systemctl daemon-reload systemctl restart kubelet.service scored: false - - id: V-242390 - text: "Ensure that the --anonymous-auth argument is set to false (Automated)" - audit: "/bin/ps -fC $kubeletbin" - audit_config: "/bin/cat $kubeletconf" - tests: - test_items: - - flag: "--anonymous-auth" - path: '{.authentication.anonymous.enabled}' - set: true - compare: - op: eq - value: false - remediation: | - If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to - false. - If using executable arguments, edit the kubelet service file - $kubeletsvc on each worker node and - set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. - --anonymous-auth=false - Based on your system, restart the kubelet service. For example: - systemctl daemon-reload - systemctl restart kubelet.service - scored: true - id: V-242391 # CIS 3.2.1 - text: "Ensure that the --anonymous-auth argument is set to false (Automated)" + text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -77,7 +54,7 @@ groups: systemctl restart kubelet.service scored: true - id: V-242392 # CIS 3.2.2 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" + text: "The Kubernetes kubelet must enable explicit authorization (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -123,7 +100,7 @@ groups: from environment variables. scored: false - id: V-242434 # CIS 3.2.6 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)" + text: "Kubernetes Kubelet must enable kernel protection (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -145,7 +122,7 @@ groups: systemctl restart kubelet.service scored: true - id: V-242435 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" + text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: @@ -239,29 +216,8 @@ groups: completely. Restart the kubelet service if the kubelet config file if the kubelet config file is changed. scored: true - - id: V-242400 - text: "The Kubernetes API server must have Alpha APIs disabled (Automated)" - audit: "/bin/ps -fC $kubeletbin" - audit_config: "/bin/cat $kubeletconf" - tests: - bin_op: or - test_items: - - flag: "--feature-gates" - compare: - op: nothave - value: "AllAlpha=true" - set: true - - flag: "--feature-gates" - set: false - remediation: | - Edit any manifest files or $kubeletconf that contain the feature-gates - setting with AllAlpha set to "true". - Set the flag to "false" or remove the "AllAlpha" setting - completely. Restart the kubelet service if the kubelet config file - if the kubelet config file is changed. - scored: true - id: V-242404 # CIS 3.2.8 - text: "Ensure that the --hostname-override argument is not set (Automated)" + text: "Kubernetes Kubelet must deny hostname override (Automated)" # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. @@ -279,7 +235,7 @@ groups: systemctl restart kubelet.service scored: true - id: V-242406 - text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)" + text: "The Kubernetes kubelet configuration file must be owned by root (Automated)" audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' ' tests: test_items: @@ -290,7 +246,7 @@ groups: chown root:root $kubeletkubeconfig scored: true - id: V-242407 - text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)" + text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' tests: test_items: From 46607d93ab851e4541fe5d0b135319be0efd6d0b Mon Sep 17 00:00:00 2001 From: Chris Renzo <86670002+crenzoaws@users.noreply.github.com> Date: Mon, 12 Sep 2022 17:23:32 +0000 Subject: [PATCH 4/5] Removing pinned docker tag --- hack/kind-stig.test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/kind-stig.test.yaml b/hack/kind-stig.test.yaml index 008bc9b38..5051277c7 100644 --- a/hack/kind-stig.test.yaml +++ b/hack/kind-stig.test.yaml @@ -12,7 +12,7 @@ spec: hostPID: true containers: - name: kube-bench - image: docker.io/aquasec/kube-bench:5c76890 + image: docker.io/aquasec/kube-bench:latest command: [ "kube-bench", "run", From 4e4aaadf3cd8721d4fabd7e468c3c3199b291a5d Mon Sep 17 00:00:00 2001 From: Chris <86670002+crenzoaws@users.noreply.github.com> Date: Wed, 14 Sep 2022 12:46:01 +0000 Subject: [PATCH 5/5] Updating Expected Stig Output --- .../testdata/Expected_output_stig.data | 64 ++++++++++++------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/integration/testdata/Expected_output_stig.data b/integration/testdata/Expected_output_stig.data index 70262a155..167dd030c 100644 --- a/integration/testdata/Expected_output_stig.data +++ b/integration/testdata/Expected_output_stig.data @@ -7,10 +7,13 @@ 0 checks INFO [INFO] 2 Control Plane Configuration +[INFO] 2.1 DISA Category Code I +[FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated) +[FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated) [INFO] 2.2 DISA Category Code II [WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual) -[WARN] V-242402 Enable audit logs (Manual) -[WARN] V-242403 Enable audit logs (Manual) +[WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual) +[WARN] V-242403 Kubernetes API Server must generate audit records (Manual) [WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual) [WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual) [WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual) @@ -19,6 +22,22 @@ [WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual) == Remediations controlplane == +V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to +false. +If using executable arguments, edit the kubelet service file +$kubeletsvc on each worker node and +set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. +--anonymous-auth=false +Based on your system, restart the kubelet service. For example: +systemctl daemon-reload +systemctl restart kubelet.service + +V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates +setting with AllAlpha set to "true". +Set the flag to "false" or remove the "AllAlpha" setting +completely. Restart the kubelet service if the kubelet config file +if the kubelet config file is changed. + V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value @@ -45,34 +64,33 @@ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler. Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html -V-242443 Upgrade Kubernetes to a supported version. -Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html +V-242443 Upgrade Kubernetes to a supported version. +Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html + == Summary controlplane == 0 checks PASS -0 checks FAIL +2 checks FAIL 9 checks WARN 0 checks INFO [INFO] 3 Worker Node Security Configuration [INFO] 3.1 DISA Category Code I -[WARN] V-242387 Ensure that the --read-only-port argument is set to 0 (Manual) -[PASS] V-242390 Ensure that the --anonymous-auth argument is set to false (Automated) -[PASS] V-242391 Ensure that the --anonymous-auth argument is set to false (Automated) -[PASS] V-242392 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) +[WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual) +[PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated) +[PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated) [FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated) [WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual) -[FAIL] V-242434 Ensure that the --protect-kernel-defaults argument is set to true (Automated) -[PASS] V-242435 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) +[FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated) +[PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated) [FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated) [FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated) [WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual) [PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated) [PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated) -[PASS] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated) -[PASS] V-242404 Ensure that the --hostname-override argument is not set (Automated) -[PASS] V-242406 Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated) -[PASS] V-242407 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated) +[PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated) +[PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated) +[PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated) [WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual) [WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual) [WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual) @@ -94,7 +112,7 @@ systemctl restart kubelet.service V-242415 Run the following command: kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A -If any of the values returned reference environment variables +If any of the values returned reference environment variables rewrite application code to read secrets from mounted secret files, rather than from environment variables. @@ -117,8 +135,8 @@ If any resources are returned, this is a finding. Fix Text: Delete the Kubernetes dashboard deployment with the following command: kubectl delete deployment kubernetes-dashboard --namespace=kube-system -V-242414 For any of the pods that are using ports below 1024, -reconfigure the pod to use a service to map a host non-privileged +V-242414 For any of the pods that are using ports below 1024, +reconfigure the pod to use a service to map a host non-privileged port to the pod port or reconfigure the image to use non-privileged ports. V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command: @@ -127,14 +145,14 @@ V-242442 To view all pods and the images used to create the pods, from the Maste sort | \ uniq -c Review the images used for pods running within Kubernetes. - Remove any old pods that are using older images. + Remove any old pods that are using older images. V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding. Upgrade the Master and Worker nodes to the latest version of kubectl. == Summary node == -10 checks PASS +8 checks PASS 4 checks FAIL 6 checks WARN 0 checks INFO @@ -231,7 +249,7 @@ V-242417 Move any user pods that are present in the Kubernetes system namespaces == Remediations managedservices == V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook -Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html +Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html == Summary managedservices == @@ -241,8 +259,8 @@ Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html 62 checks INFO == Summary total == -10 checks PASS -4 checks FAIL +8 checks PASS +6 checks FAIL 19 checks WARN 62 checks INFO