DISA STIG Kubernetes v1r6

Audit Details

Name: DISA STIG Kubernetes v1r6

Updated: 10/17/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 98

File Details

Filename: DISA_STIG_Kubernetes_v1r6.audit

Size: 176 kB

MD5: 15a73b6865a540bdbb11b4fa6f7335b9
SHA256: c106f17b93cc64a9243ce5aeb710a79c290bb83d005314f292c3440ac609d0bf

Audit Items

DescriptionCategories
CNTR-K8-000150 - The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000170 - The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000180 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.

ACCESS CONTROL

CNTR-K8-000270 - The Kubernetes API Server must enable Node,RBAC as the authorization mode.

ACCESS CONTROL

CNTR-K8-000290 - User-managed resources must be created in dedicated namespaces.

CONFIGURATION MANAGEMENT

CNTR-K8-000300 - The Kubernetes Scheduler must have secure binding.

ACCESS CONTROL

CNTR-K8-000310 - The Kubernetes Controller Manager must have secure binding.

ACCESS CONTROL

CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled.

ACCESS CONTROL

CNTR-K8-000330 - The Kubernetes Kubelet must have the read-only port flag disabled.

ACCESS CONTROL

CNTR-K8-000340 - The Kubernetes API server must have the insecure bind address not set.

ACCESS CONTROL

CNTR-K8-000350 - The Kubernetes API server must have the secure port set.

ACCESS CONTROL

CNTR-K8-000360 - The Kubernetes API server must have anonymous authentication disabled.

ACCESS CONTROL

CNTR-K8-000370 - The Kubernetes Kubelet must have anonymous authentication disabled.

ACCESS CONTROL

CNTR-K8-000380 - The Kubernetes kubelet must enable explicit authorization.

ACCESS CONTROL

CNTR-K8-000400 - Kubernetes Worker Nodes must not have sshd service running.

ACCESS CONTROL

CNTR-K8-000410 - Kubernetes Worker Nodes must not have the sshd service enabled.

ACCESS CONTROL

CNTR-K8-000420 - Kubernetes dashboard must not be enabled.

ACCESS CONTROL

CNTR-K8-000430 - Kubernetes Kubectl cp command must give expected access and results.

ACCESS CONTROL

CNTR-K8-000440 - The Kubernetes kubelet static PodPath must not enable static pods.

ACCESS CONTROL

CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - kubelet

ACCESS CONTROL

CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - manifest

ACCESS CONTROL

CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet

ACCESS CONTROL

CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - manifest

ACCESS CONTROL

CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled.

ACCESS CONTROL

CNTR-K8-000600 - The Kubernetes API Server must have an audit policy set.

AUDIT AND ACCOUNTABILITY

CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.

AUDIT AND ACCOUNTABILITY

CNTR-K8-000700 - Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override.

CONFIGURATION MANAGEMENT

CNTR-K8-000860 - The Kubernetes manifests must be owned by root.

CONFIGURATION MANAGEMENT

CNTR-K8-000880 - The Kubernetes kubelet configuration file must be owned by root.

CONFIGURATION MANAGEMENT

CNTR-K8-000890 - The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive.

CONFIGURATION MANAGEMENT

CNTR-K8-000900 - The Kubernetes manifests must have least privileges.

CONFIGURATION MANAGEMENT

CNTR-K8-000910 - Kubernetes Controller Manager must disable profiling.

CONFIGURATION MANAGEMENT

CNTR-K8-000920 - The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000930 - The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000940 - The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000950 - The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000960 - The Kubernetes cluster must use non-privileged host ports for user pods.

CONFIGURATION MANAGEMENT

CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.

IDENTIFICATION AND AUTHENTICATION

CNTR-K8-001300 - Kubernetes Kubelet must not disable timeouts.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001360 - Kubernetes must separate user functionality.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001410 - Kubernetes API Server must have the SSL Certificate Authority set.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001420 - Kubernetes Kubelet must have the SSL Certificate Authority set.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001430 - Kubernetes Controller Manager must have the SSL Certificate Authority set.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication - tls-cert-file

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication - tls-private-key-file

SYSTEM AND COMMUNICATIONS PROTECTION