diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 66c3e17c7da56e72cafbc5389b25f0ba0a604162..f4b6f1eb5aa38df6c8da10f0a248d63e6d761609 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -77,3 +77,4 @@ Finally, we can use the `make kind-run` target to run the current version of kub
Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
+To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig`
diff --git a/cfg/config.yaml b/cfg/config.yaml
index fcb8bd84cb7753a4ff72fc53654ffb1191257097..bb0e5f3ced39f181ab34d33dd93c2e4e27547b4f 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -324,3 +324,8 @@ target_mapping:
- "controlplane"
- "policies"
- "etcd"
+ "eks-stig-kubernetes-v1r6":
+ - "node"
+ - "controlplane"
+ - "policies"
+ - "managedservices"
diff --git a/cfg/eks-stig-kubernetes-v1r6/config.yaml b/cfg/eks-stig-kubernetes-v1r6/config.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..17301a751a53161bd248d6b0f450ab1e6a5e1a86
--- /dev/null
+++ b/cfg/eks-stig-kubernetes-v1r6/config.yaml
@@ -0,0 +1,9 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
+## These settings are required if you are using the --asff option to report findings to AWS Security Hub
+## AWS account number is required.
+AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
+## AWS region is required.
+AWS_REGION: "<AWS_REGION>"
+## EKS Cluster ARN is required.
+CLUSTER_ARN: "<AWS_CLUSTER_ARN>"
diff --git a/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..cc38159745f7d70a0e3178ba4036ce808dc2a423
--- /dev/null
+++ b/cfg/eks-stig-kubernetes-v1r6/controlplane.yaml
@@ -0,0 +1,124 @@
+---
+controls:
+version: "eks-stig-kubernetes-v1r6"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+ - id: 2.1
+ text: "DISA Category Code I"
+ checks:
+ - id: V-242390
+ text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ path: '{.authentication.anonymous.enabled}'
+ set: true
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
+ false.
+ If using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --anonymous-auth=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242400
+ text: "The Kubernetes API server must have Alpha APIs disabled (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--feature-gates"
+ compare:
+ op: nothave
+ value: "AllAlpha=true"
+ set: true
+ - flag: "--feature-gates"
+ set: false
+ remediation: |
+ Edit any manifest files or $kubeletconf that contain the feature-gates
+ setting with AllAlpha set to "true".
+ Set the flag to "false" or remove the "AllAlpha" setting
+ completely. Restart the kubelet service if the kubelet config file
+ if the kubelet config file is changed.
+ scored: true
+ - id: 2.2
+ text: "DISA Category Code II"
+ checks:
+ - id: V-242381
+ text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
+ type: "manual"
+ remediation: |
+ Create explicit service accounts wherever a Kubernetes workload requires specific access
+ to the Kubernetes API server.
+ Modify the configuration of each default service account to include this value
+ automountServiceAccountToken: false
+ scored: false
+ - id: V-242402
+ text: "The Kubernetes API Server must have an audit log path set (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: V-242403
+ text: "Kubernetes API Server must generate audit records (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: V-242461
+ text: "Kubernetes API Server audit logs must be enabled. (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: V-242462
+ text: "The Kubernetes API Server must be set to audit log max size. (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: V-242463
+ text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: V-242464
+ text: "The Kubernetes API Server audit log retention must be set. (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: V-242465
+ text: "The Kubernetes API Server audit log path must be set. (Manual)"
+ type: "manual"
+ remediation: |
+ Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+ scored: false
+ - id: 2.2
+ text: "DISA Category Code II"
+ checks:
+ - id: V-242443
+ text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
+ type: "manual"
+ remediation: |
+ Upgrade Kubernetes to a supported version.
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
diff --git a/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..23c4eaa9f2027680728368263b50e9fd7cb2ed64
--- /dev/null
+++ b/cfg/eks-stig-kubernetes-v1r6/managedservices.yaml
@@ -0,0 +1,268 @@
+---
+controls:
+version: "eks-stig-kubernetes-v1r6"
+id: 5
+text: "Managed Services"
+type: "managedservices"
+groups:
+ - id: 5.1
+ text: "DISA Category Code I"
+ checks:
+ - id: V-242386
+ text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242388
+ text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242436
+ text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)"
+ type: "manual"
+ remediation: |
+ Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
+ Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
+ scored: false
+
+ - id: V-245542
+ text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: 5.2
+ text: "DISA Category Code II"
+ checks:
+ - id: V-242376
+ text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242377
+ text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242378
+ text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242379
+ text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242380
+ text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242382
+ text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242384
+ text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242385
+ text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242389
+ text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242401
+ text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242402
+ text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242403
+ text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242405
+ text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242408
+ text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242409
+ text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242410
+ text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242411
+ text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242412
+ text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242413
+ text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242418
+ text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242419
+ text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242420
+ text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242421
+ text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242422
+ text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242423
+ text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242424
+ text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242425
+ text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242426
+ text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242427
+ text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242428
+ text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242429
+ text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242430
+ text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242431
+ text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242432
+ text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242433
+ text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242438
+ text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242444
+ text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242445
+ text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242446
+ text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242447
+ text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242448
+ text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242449
+ text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242450
+ text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242451
+ text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242452
+ text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242453
+ text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242454
+ text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242455
+ text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242456
+ text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242457
+ text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242458
+ text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242459
+ text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242460
+ text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242466
+ text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242467
+ text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-242468
+ text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-245541
+ text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-245543
+ text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane"
+ type: "skip"
+
+ - id: V-245544
+ text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane"
+ type: "skip"
diff --git a/cfg/eks-stig-kubernetes-v1r6/master.yaml b/cfg/eks-stig-kubernetes-v1r6/master.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8152a1abcd5c51fca0a594b92b504e096552a82b
--- /dev/null
+++ b/cfg/eks-stig-kubernetes-v1r6/master.yaml
@@ -0,0 +1,6 @@
+---
+controls:
+version: "eks-stig-kubernetes-v1r6"
+id: 1
+text: "Control Plane Components"
+type: "master"
diff --git a/cfg/eks-stig-kubernetes-v1r6/node.yaml b/cfg/eks-stig-kubernetes-v1r6/node.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..96091241147474fdd899e4bf3e0ea7216d617132
--- /dev/null
+++ b/cfg/eks-stig-kubernetes-v1r6/node.yaml
@@ -0,0 +1,287 @@
+---
+controls:
+version: "eks-stig-kubernetes-v1r6"
+id: 3
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+ - id: 3.1
+ text: "DISA Category Code I"
+ checks:
+ - id: V-242387 # CIS 3.2.4
+ text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: "--read-only-port"
+ path: '{.readOnlyPort}'
+ set: true
+ compare:
+ op: eq
+ value: 0
+ remediation: |
+ If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --read-only-port=0
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+ - id: V-242391 # CIS 3.2.1
+ text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ path: '{.authentication.anonymous.enabled}'
+ set: true
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
+ false.
+ If using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --anonymous-auth=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242392 # CIS 3.2.2
+ text: "The Kubernetes kubelet must enable explicit authorization (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --authorization-mode
+ path: '{.authorization.mode}'
+ set: true
+ compare:
+ op: nothave
+ value: AlwaysAllow
+ remediation: |
+ If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
+ using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --authorization-mode=Webhook
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242397
+ text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - path: '{.staticPodPath}'
+ set: false
+ remediation: |
+ Edit $kubeletconf on each node to to remove the staticPodPath
+ Based on your system, restart the kubelet service. For example,
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242415
+ text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)"
+ type: "manual"
+ remediation: |
+ Run the following command:
+ kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
+ If any of the values returned reference environment variables
+ rewrite application code to read secrets from mounted secret files, rather than
+ from environment variables.
+ scored: false
+ - id: V-242434 # CIS 3.2.6
+ text: "Kubernetes Kubelet must enable kernel protection (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --protect-kernel-defaults
+ path: '{.protectKernelDefaults}'
+ set: true
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --protect-kernel-defaults=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242435
+ text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --authorization-mode
+ path: '{.authorization.mode}'
+ set: true
+ compare:
+ op: nothave
+ value: AlwaysAllow
+ remediation: |
+ If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
+ using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --authorization-mode=Webhook
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242393
+ text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
+ audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
+ tests:
+ test_items:
+ - flag: ActiveState
+ compare:
+ op: eq
+ value: inactive
+ remediation: |
+ To stop the sshd service, run the command: systemctl stop sshd
+ scored: true
+ - id: V-242394
+ text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
+ audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
+ tests:
+ test_items:
+ - flag: "disabled"
+ remediation: |
+ To disable the sshd service, run the command:
+ chkconfig sshd off
+ scored: true
+ - id: V-242395
+ text: "Kubernetes dashboard must not be enabled. (Manual)"
+ type: "manual"
+ remediation: |
+ Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
+ If any resources are returned, this is a finding.
+ Fix Text: Delete the Kubernetes dashboard deployment with the following command:
+ kubectl delete deployment kubernetes-dashboard --namespace=kube-system
+ scored: false
+ - id: V-242398
+ text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--feature-gates"
+ compare:
+ op: nothave
+ value: "DynamicAuditing=true"
+ set: true
+ - flag: "--feature-gates"
+ set: false
+ remediation: |
+ Edit any manifest files or kubelet config files that contain the feature-gates
+ setting with DynamicAuditing set to "true".
+ Set the flag to "false" or remove the "DynamicAuditing" setting
+ completely. Restart the kubelet service if the kubelet config file
+ if the kubelet config file is changed.
+ scored: true
+ - id: V-242399
+ text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--feature-gates"
+ compare:
+ op: nothave
+ value: "DynamicKubeletConfig=true"
+ set: true
+ - flag: "--feature-gates"
+ set: false
+ remediation: |
+ Edit any manifest files or $kubeletconf that contain the feature-gates
+ setting with DynamicKubeletConfig set to "true".
+ Set the flag to "false" or remove the "DynamicKubeletConfig" setting
+ completely. Restart the kubelet service if the kubelet config file
+ if the kubelet config file is changed.
+ scored: true
+ - id: V-242404 # CIS 3.2.8
+ text: "Kubernetes Kubelet must deny hostname override (Automated)"
+ # This is one of those properties that can only be set as a command line argument.
+ # To check if the property is set as expected, we need to parse the kubelet command
+ # instead reading the Kubelet Configuration file.
+ audit: "/bin/ps -fC $kubeletbin "
+ tests:
+ test_items:
+ - flag: --hostname-override
+ set: false
+ remediation: |
+ Edit the kubelet service file $kubeletbin
+ on each worker node and remove the --hostname-override argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+ - id: V-242406
+ text: "The Kubernetes kubelet configuration file must be owned by root (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
+ tests:
+ test_items:
+ - flag: root:root
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example,
+ chown root:root $kubeletkubeconfig
+ scored: true
+ - id: V-242407
+ text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the following command (using the config file location identified in the Audit step)
+ chmod 644 $kubeletconf
+ scored: true
+ - id: V-242414
+ text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)"
+ type: "manual"
+ remediation: |
+ For any of the pods that are using ports below 1024,
+ reconfigure the pod to use a service to map a host non-privileged
+ port to the pod port or reconfigure the image to use non-privileged ports.
+ scored: false
+ - id: V-242442
+ text: "Kubernetes must remove old components after updated versions have been installed. (Manual)"
+ type: "manual"
+ remediation: |
+ To view all pods and the images used to create the pods, from the Master node, run the following command:
+ kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
+ tr -s '[[:space:]]' '\n' | \
+ sort | \
+ uniq -c
+ Review the images used for pods running within Kubernetes.
+ Remove any old pods that are using older images.
+ scored: false
+ - id: V-242396
+ text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
+ type: "manual"
+ remediation: |
+ If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
+ Upgrade the Master and Worker nodes to the latest version of kubectl.
+ scored: false
diff --git a/cfg/eks-stig-kubernetes-v1r6/policies.yaml b/cfg/eks-stig-kubernetes-v1r6/policies.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e91eacc4f219733c3adda4abe3c7d5e083dbc14c
--- /dev/null
+++ b/cfg/eks-stig-kubernetes-v1r6/policies.yaml
@@ -0,0 +1,33 @@
+---
+controls:
+version: "eks-stig-kubernetes-v1r6"
+id: 4
+text: "Policies"
+type: "policies"
+groups:
+ - id: 4.1
+ text: "Policies - DISA Category Code I"
+ checks:
+ - id: V-242381
+ text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
+ type: "manual"
+ remediation: |
+ Create explicit service accounts wherever a Kubernetes workload requires specific access
+ to the Kubernetes API server.
+ Modify the configuration of each default service account to include this value
+ automountServiceAccountToken: false
+ scored: false
+
+ - id: V-242383
+ text: "User-managed resources must be created in dedicated namespaces. (Manual)"
+ type: "manual"
+ remediation: |
+ Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
+ scored: false
+
+ - id: V-242417
+ text: "Kubernetes must separate user functionality. (Manual)"
+ type: "manual"
+ remediation: |
+ Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
+ scored: false
diff --git a/docs/architecture.md b/docs/architecture.md
index 18370634ed151b39d8c41101d77b7c3c7d18ece2..b423a71ac4011c72786c0850fb25577ac9e4a62a 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -27,4 +27,10 @@ The following table shows the valid targets based on the CIS Benchmark version.
| rh-0.7 | master,node|
| rh-1.0 | master, controlplane, node, etcd, policies |
+The following table shows the valid DISA STIG versions
+
+| STIG | Targets |
+|----------------------------|---------|
+| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |
+
diff --git a/docs/platforms.md b/docs/platforms.md
index 0883eed71c018a91d33ca420114baf5c13125bac..8d4e3d7eb65c309f71117d17ba6f013f56934b5c 100644
--- a/docs/platforms.md
+++ b/docs/platforms.md
@@ -2,7 +2,10 @@
## CIS Kubernetes Benchmark support
kube-bench supports running tests for Kubernetes.
-Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
+Most of our supported benchmarks are defined in one of the following:
+ [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
+ [STIG Document Library](https://public.cyber.mil/stigs/downloads)
+
Some defined by other hardenening guides.
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
@@ -18,3 +21,4 @@ Some defined by other hardenening guides.
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
+| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |
diff --git a/docs/running.md b/docs/running.md
index 04af7bb5037a58ae6bf3e75003bf978e6645dd89..11b37d61cc6090da32671764b586521734a4aea5 100644
--- a/docs/running.md
+++ b/docs/running.md
@@ -77,7 +77,7 @@ docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
```
kube-bench cannot be run on AKS master nodes
-### Running in an EKS cluster
+### Running CIS benchmark in an EKS cluster
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
@@ -103,6 +103,31 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
+### Running DISA STIG in an EKS cluster
+
+There is a `job-eks-stig.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
+
+1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide*
+ - Information on configuring `eksctl`, `kubectl` and the AWS CLI is within
+2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image
+```
+aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
+```
+3. Download, build and push the kube-bench container image to your ECR repo
+```
+git clone https://github.com/aquasecurity/kube-bench.git
+cd kube-bench
+aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
+docker build -t k8s/kube-bench .
+docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
+docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
+```
+4. Copy the URI of your pushed image, the URI format is like this: `<AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest`
+5. Replace the `image` value in `job-eks-stig.yaml` with the URI from Step 4
+6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks-stig.yaml`
+7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces`
+8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
+ - You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
### Running on OpenShift
diff --git a/hack/kind-stig.test.yaml b/hack/kind-stig.test.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5051277c731e08b5b4d1dcd20709ec04fc7ce076
--- /dev/null
+++ b/hack/kind-stig.test.yaml
@@ -0,0 +1,56 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kube-bench
+spec:
+ template:
+ metadata:
+ labels:
+ app: kube-bench
+ spec:
+ hostPID: true
+ containers:
+ - name: kube-bench
+ image: docker.io/aquasec/kube-bench:latest
+ command: [
+ "kube-bench",
+ "run",
+ "--benchmark",
+ "eks-stig-kubernetes-v1r6",
+ ]
+ volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ - name: var-lib-kubelet
+ mountPath: /var/lib/kubelet
+ - name: etc-systemd
+ mountPath: /etc/systemd
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+ # You can omit this mount if you specify --version as part of the command.
+ - name: usr-bin
+ mountPath: /usr/local/mount-from-host/bin
+ - name: kind-bin
+ mountPath: /kind/bin
+ restartPolicy: Never
+ volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
+ - name: var-lib-kubelet
+ hostPath:
+ path: "/var/lib/kubelet"
+ - name: etc-systemd
+ hostPath:
+ path: "/etc/systemd"
+ - name: etc-kubernetes
+ hostPath:
+ path: "/etc/kubernetes"
+ - name: usr-bin
+ hostPath:
+ path: "/usr/bin"
+ - name: kind-bin
+ hostPath:
+ path: "/kind/bin"
diff --git a/hack/kind-stig.yaml b/hack/kind-stig.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3b1ab69d52141863ec6e75e7e47f3ed30fbb79b8
--- /dev/null
+++ b/hack/kind-stig.yaml
@@ -0,0 +1,56 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kube-bench
+spec:
+ template:
+ metadata:
+ labels:
+ app: kube-bench
+ spec:
+ hostPID: true
+ containers:
+ - name: kube-bench
+ image: docker.io/aquasec/kube-bench:${VERSION}
+ command: [
+ "kube-bench",
+ "run",
+ "--benchmark",
+ "eks-stig-kubernetes-v1r6",
+ ]
+ volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ - name: var-lib-kubelet
+ mountPath: /var/lib/kubelet
+ - name: etc-systemd
+ mountPath: /etc/systemd
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+ # You can omit this mount if you specify --version as part of the command.
+ - name: usr-bin
+ mountPath: /usr/local/mount-from-host/bin
+ - name: kind-bin
+ mountPath: /kind/bin
+ restartPolicy: Never
+ volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
+ - name: var-lib-kubelet
+ hostPath:
+ path: "/var/lib/kubelet"
+ - name: etc-systemd
+ hostPath:
+ path: "/etc/systemd"
+ - name: etc-kubernetes
+ hostPath:
+ path: "/etc/kubernetes"
+ - name: usr-bin
+ hostPath:
+ path: "/usr/bin"
+ - name: kind-bin
+ hostPath:
+ path: "/kind/bin"
diff --git a/integration/testdata/Expected_output_stig.data b/integration/testdata/Expected_output_stig.data
new file mode 100644
index 0000000000000000000000000000000000000000..167dd030c602ef6b2b60cecf329ea23dce018086
--- /dev/null
+++ b/integration/testdata/Expected_output_stig.data
@@ -0,0 +1,266 @@
+[INFO] 1 Control Plane Components
+
+== Summary master ==
+0 checks PASS
+0 checks FAIL
+0 checks WARN
+0 checks INFO
+
+[INFO] 2 Control Plane Configuration
+[INFO] 2.1 DISA Category Code I
+[FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated)
+[FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated)
+[INFO] 2.2 DISA Category Code II
+[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
+[WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual)
+[WARN] V-242403 Kubernetes API Server must generate audit records (Manual)
+[WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual)
+[WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual)
+[WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual)
+[WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual)
+[WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual)
+[WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)
+
+== Remediations controlplane ==
+V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
+false.
+If using executable arguments, edit the kubelet service file
+$kubeletsvc on each worker node and
+set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+--anonymous-auth=false
+Based on your system, restart the kubelet service. For example:
+systemctl daemon-reload
+systemctl restart kubelet.service
+
+V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates
+setting with AllAlpha set to "true".
+Set the flag to "false" or remove the "AllAlpha" setting
+completely. Restart the kubelet service if the kubelet config file
+if the kubelet config file is changed.
+
+V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
+to the Kubernetes API server.
+Modify the configuration of each default service account to include this value
+automountServiceAccountToken: false
+
+V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+
+V-242443 Upgrade Kubernetes to a supported version.
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
+
+
+== Summary controlplane ==
+0 checks PASS
+2 checks FAIL
+9 checks WARN
+0 checks INFO
+
+[INFO] 3 Worker Node Security Configuration
+[INFO] 3.1 DISA Category Code I
+[WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual)
+[PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated)
+[PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated)
+[FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated)
+[WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual)
+[FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated)
+[PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated)
+[FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated)
+[FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)
+[WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual)
+[PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated)
+[PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated)
+[PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated)
+[PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated)
+[PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)
+[WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)
+[WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual)
+[WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual)
+
+== Remediations node ==
+V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0.
+If using command line arguments, edit the kubelet service file
+/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
+set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+--read-only-port=0
+Based on your system, restart the kubelet service. For example:
+systemctl daemon-reload
+systemctl restart kubelet.service
+
+V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath
+Based on your system, restart the kubelet service. For example,
+systemctl daemon-reload
+systemctl restart kubelet.service
+
+V-242415 Run the following command:
+kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
+If any of the values returned reference environment variables
+rewrite application code to read secrets from mounted secret files, rather than
+from environment variables.
+
+V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true.
+If using command line arguments, edit the kubelet service file
+/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
+set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+--protect-kernel-defaults=true
+Based on your system, restart the kubelet service. For example:
+systemctl daemon-reload
+systemctl restart kubelet.service
+
+V-242393 To stop the sshd service, run the command: systemctl stop sshd
+
+V-242394 To disable the sshd service, run the command:
+ chkconfig sshd off
+
+V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
+If any resources are returned, this is a finding.
+Fix Text: Delete the Kubernetes dashboard deployment with the following command:
+ kubectl delete deployment kubernetes-dashboard --namespace=kube-system
+
+V-242414 For any of the pods that are using ports below 1024,
+reconfigure the pod to use a service to map a host non-privileged
+port to the pod port or reconfigure the image to use non-privileged ports.
+
+V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command:
+ kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
+ tr -s '[[:space:]]' '\n' | \
+ sort | \
+ uniq -c
+ Review the images used for pods running within Kubernetes.
+ Remove any old pods that are using older images.
+
+V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
+Upgrade the Master and Worker nodes to the latest version of kubectl.
+
+
+== Summary node ==
+8 checks PASS
+4 checks FAIL
+6 checks WARN
+0 checks INFO
+
+[INFO] 4 Policies
+[INFO] 4.1 Policies - DISA Category Code I
+[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
+[WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual)
+[WARN] V-242417 Kubernetes must separate user functionality. (Manual)
+
+== Remediations policies ==
+V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
+to the Kubernetes API server.
+Modify the configuration of each default service account to include this value
+automountServiceAccountToken: false
+
+V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
+
+V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
+
+
+== Summary policies ==
+0 checks PASS
+0 checks FAIL
+3 checks WARN
+0 checks INFO
+
+[INFO] 5 Managed Services
+[INFO] 5.1 DISA Category Code I
+[INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane
+[INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane
+[WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)
+[INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane
+[INFO] 5.2 DISA Category Code II
+[INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane
+[INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane
+[INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane
+[INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
+[INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
+[INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane
+[INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane
+[INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane
+[INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane
+[INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane
+[INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane
+[INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane
+[INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane
+[INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane
+[INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane
+[INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
+[INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
+[INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
+[INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
+[INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane
+[INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane
+[INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane
+[INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane
+[INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane
+[INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
+[INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
+[INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane
+[INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
+[INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
+[INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
+[INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane
+[INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
+[INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
+[INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane
+[INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane
+[INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane
+[INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane
+[INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane
+[INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane
+[INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane
+[INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane
+[INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane
+[INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
+[INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane
+[INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
+[INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
+[INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane
+[INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane
+[INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane
+[INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane
+[INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane
+
+== Remediations managedservices ==
+V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
+Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
+
+
+== Summary managedservices ==
+0 checks PASS
+0 checks FAIL
+1 checks WARN
+62 checks INFO
+
+== Summary total ==
+8 checks PASS
+6 checks FAIL
+19 checks WARN
+62 checks INFO
+
diff --git a/job-eks-stig.yaml b/job-eks-stig.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..65ce5dc9a14d87197965523c6da77ed5312b4e31
--- /dev/null
+++ b/job-eks-stig.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kube-bench
+spec:
+ template:
+ spec:
+ hostPID: true
+ containers:
+ - name: kube-bench
+ # Push the image to your ECR and then refer to it here
+ # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
+ image: docker.io/aquasec/kube-bench:latest
+ # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
+ command:
+ [
+ "kube-bench",
+ "run",
+ "--benchmark",
+ "eks-stig-kubernetes-v1r6",
+ ]
+ volumeMounts:
+ - name: var-lib-kubelet
+ mountPath: /var/lib/kubelet
+ readOnly: true
+ - name: etc-systemd
+ mountPath: /etc/systemd
+ readOnly: true
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ readOnly: true
+ restartPolicy: Never
+ volumes:
+ - name: var-lib-kubelet
+ hostPath:
+ path: "/var/lib/kubelet"
+ - name: etc-systemd
+ hostPath:
+ path: "/etc/systemd"
+ - name: etc-kubernetes
+ hostPath:
+ path: "/etc/kubernetes"
diff --git a/makefile b/makefile
index c607056925876b13d56873b4b9c2b1f964987908..61b5b54e96a1b884f195da7588d2d268404502c1 100644
--- a/makefile
+++ b/makefile
@@ -78,3 +78,15 @@ kind-run: kind-push
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
kubectl logs job/kube-bench > ./test.data && \
diff ./test.data integration/testdata/Expected_output.data
+
+kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench"
+kind-run-stig: kind-push
+ sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml
+ kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
+ -KUBECONFIG=$(KUBECONFIG) \
+ kubectl delete job kube-bench
+ KUBECONFIG=$(KUBECONFIG) \
+ kubectl apply -f ./hack/kind-stig.test.yaml && \
+ kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
+ kubectl logs job/kube-bench > ./test.data && \
+ diff ./test.data integration/testdata/Expected_output_stig.data