CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker

Audit Details

Name: CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker

Updated: 11/4/2022

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 26

File Details

Filename: CIS_Kubernetes_v1.24_v1.0.0_Level_1_Worker.audit

Size: 124 kB

MD5: 8773310b5570479e32d7800052648f2e
SHA256: 0ec3adc5f8fbfcca890cde673f7d7184ed4538f753b0a0d42f03aa1c4c9e09f3

Audit Items

DescriptionCategories
4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

4.1.2 Ensure that the kubelet service file ownership is set to root:root

ACCESS CONTROL

4.1.3 If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root

ACCESS CONTROL

4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root

ACCESS CONTROL

4.1.7 Ensure that the certificate authorities file permissions are set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

4.1.8 Ensure that the client certificate authorities file ownership is set to root:root

ACCESS CONTROL

4.1.9 If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

4.1.10 If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root

ACCESS CONTROL

4.2.1 Ensure that the --anonymous-auth argument is set to false

ACCESS CONTROL, MEDIA PROTECTION

4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow

ACCESS CONTROL, MEDIA PROTECTION

4.2.3 Ensure that the --client-ca-file argument is set as appropriate

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.2.4 Verify that the --read-only-port argument is set to 0

CONFIGURATION MANAGEMENT

4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0

SYSTEM AND INFORMATION INTEGRITY

4.2.6 Ensure that the --protect-kernel-defaults argument is set to true

CONFIGURATION MANAGEMENT

4.2.7 Ensure that the --make-iptables-util-chains argument is set to true

CONFIGURATION MANAGEMENT

4.2.8 Ensure that the --hostname-override argument is not set

CONFIGURATION MANAGEMENT

4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.2.11 Ensure that the --rotate-certificates argument is not set to false

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

CONFIGURATION MANAGEMENT

5.1.3 Minimize wildcard use in Roles and ClusterRoles - clusterroles

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.1.3 Minimize wildcard use in Roles and ClusterRoles - roles

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

CIS_Kubernetes_v1.24_v1.0.0_Level_1_Worker.audit from CIS Kubernetes v1.24 Benchmark v1.0.0

CONFIGURATION MANAGEMENT