DISA STIG Kubernetes v1r6

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Kubernetes v1r6

Updated: 6/13/2023

Authority: DISA STIG

Plugin: Unix

Revision: 1.3

Estimated Item Count: 98

Audit Items

DescriptionCategories
CNTR-K8-000150 - The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000170 - The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000180 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.
CNTR-K8-000270 - The Kubernetes API Server must enable Node,RBAC as the authorization mode.
CNTR-K8-000290 - User-managed resources must be created in dedicated namespaces.
CNTR-K8-000300 - The Kubernetes Scheduler must have secure binding.
CNTR-K8-000310 - The Kubernetes Controller Manager must have secure binding.
CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled.
CNTR-K8-000330 - The Kubernetes Kubelet must have the read-only port flag disabled.
CNTR-K8-000340 - The Kubernetes API server must have the insecure bind address not set.
CNTR-K8-000350 - The Kubernetes API server must have the secure port set.
CNTR-K8-000360 - The Kubernetes API server must have anonymous authentication disabled.
CNTR-K8-000370 - The Kubernetes Kubelet must have anonymous authentication disabled.
CNTR-K8-000380 - The Kubernetes kubelet must enable explicit authorization.
CNTR-K8-000400 - Kubernetes Worker Nodes must not have sshd service running.
CNTR-K8-000410 - Kubernetes Worker Nodes must not have the sshd service enabled.
CNTR-K8-000420 - Kubernetes dashboard must not be enabled.
CNTR-K8-000430 - Kubernetes Kubectl cp command must give expected access and results.
CNTR-K8-000440 - The Kubernetes kubelet static PodPath must not enable static pods.
CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - kubelet
CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - manifest
CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet
CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - manifest
CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled.
CNTR-K8-000600 - The Kubernetes API Server must have an audit policy set.
CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.
CNTR-K8-000700 - Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override.
CNTR-K8-000860 - The Kubernetes manifests must be owned by root.
CNTR-K8-000880 - The Kubernetes kubelet configuration file must be owned by root.
CNTR-K8-000890 - The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive.
CNTR-K8-000900 - The Kubernetes manifests must have least privileges.
CNTR-K8-000910 - Kubernetes Controller Manager must disable profiling.
CNTR-K8-000920 - The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000930 - The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000940 - The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000950 - The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000960 - The Kubernetes cluster must use non-privileged host ports for user pods.
CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.
CNTR-K8-001300 - Kubernetes Kubelet must not disable timeouts.
CNTR-K8-001360 - Kubernetes must separate user functionality.
CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites.
CNTR-K8-001410 - Kubernetes API Server must have the SSL Certificate Authority set.
CNTR-K8-001420 - Kubernetes Kubelet must have the SSL Certificate Authority set.
CNTR-K8-001430 - Kubernetes Controller Manager must have the SSL Certificate Authority set.
CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication - tls-cert-file
CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication - tls-private-key-file