Detections
Analytics

DISA STIG Kubernetes v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Kubernetes v2r2

Updated: 8/12/2025

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 94

File Details

Filename: DISA_STIG_Kubernetes_v2r2.audit

Size: 165 kB

MD5: 01e7263cfb0c6742c959d372f1fcacb8
SHA256: a6cd8195ddfdd93fcd38930c3b9c4e3292e36213ed43fb4a9c8aa8f9b6cc1bb3

Audit Items

DescriptionCategories
CNTR-K8-000150 - The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000170 - The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000180 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.
CNTR-K8-000270 - The Kubernetes API Server must enable Node,RBAC as the authorization mode.
CNTR-K8-000290 - User-managed resources must be created in dedicated namespaces.
CNTR-K8-000300 - The Kubernetes Scheduler must have secure binding.
CNTR-K8-000310 - The Kubernetes Controller Manager must have secure binding.
CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled.
CNTR-K8-000330 - The Kubernetes Kubelet must have the 'readOnlyPort' flag disabled - readOnlyPort flag disabled.
CNTR-K8-000340 - The Kubernetes API server must have the insecure bind address not set.
CNTR-K8-000350 - The Kubernetes API server must have the secure port set.
CNTR-K8-000360 - The Kubernetes API server must have anonymous authentication disabled.
CNTR-K8-000370 - The Kubernetes Kubelet must have anonymous authentication disabled.
CNTR-K8-000380 - The Kubernetes kubelet must enable explicit authorization.
CNTR-K8-000400 - Kubernetes Worker Nodes must not have sshd service running.
CNTR-K8-000410 - Kubernetes Worker Nodes must not have the sshd service enabled.
CNTR-K8-000420 - Kubernetes dashboard must not be enabled.
CNTR-K8-000430 - Kubernetes Kubectl cp command must give expected access and results.
CNTR-K8-000440 - The Kubernetes kubelet staticPodPath must not enable static pods.
CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - kubelet
CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - manifest
CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet
CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - manifest
CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled.
CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.
CNTR-K8-000700 - Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.
CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override.
CNTR-K8-000860 - The Kubernetes manifests must be owned by root.
CNTR-K8-000880 - The Kubernetes KubeletConfiguration file must be owned by root.
CNTR-K8-000890 - The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.
CNTR-K8-000900 - The Kubernetes manifest files must have least privileges.
CNTR-K8-000910 - Kubernetes Controller Manager must disable profiling.
CNTR-K8-000920 - The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000930 - The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000940 - The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000950 - The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000960 - The Kubernetes cluster must use non-privileged host ports for user pods.
CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.
CNTR-K8-001300 - Kubernetes Kubelet must not disable timeouts.
CNTR-K8-001360 - Kubernetes must separate user functionality.
CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites.
CNTR-K8-001410 - Kubernetes API Server must have the SSL Certificate Authority set.
CNTR-K8-001420 - Kubernetes Kubelet must have the SSL Certificate Authority set.
CNTR-K8-001430 - Kubernetes Controller Manager must have the SSL Certificate Authority set.
CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication.
CNTR-K8-001450 - Kubernetes etcd must enable client authentication to secure service.
CNTR-K8-001460 - Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.