Detections
Analytics

DISA STIG Kubernetes v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Kubernetes v2r2

Updated: 8/12/2025

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 52

Audit Items

DescriptionCategories
CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.
CNTR-K8-000270 - The Kubernetes API Server must enable Node,RBAC as the authorization mode.
CNTR-K8-000290 - User-managed resources must be created in dedicated namespaces.
CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled.
CNTR-K8-000330 - The Kubernetes Kubelet must have the 'readOnlyPort' flag disabled - readOnlyPort flag disabled.
CNTR-K8-000350 - The Kubernetes API server must have the secure port set.
CNTR-K8-000360 - The Kubernetes API server must have anonymous authentication disabled.
CNTR-K8-000380 - The Kubernetes kubelet must enable explicit authorization.
CNTR-K8-000400 - Kubernetes Worker Nodes must not have sshd service running.
CNTR-K8-000420 - Kubernetes dashboard must not be enabled.
CNTR-K8-000430 - Kubernetes Kubectl cp command must give expected access and results.
CNTR-K8-000440 - The Kubernetes kubelet staticPodPath must not enable static pods.
CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - kubelet
CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet
CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled.
CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.
CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override.
CNTR-K8-000860 - The Kubernetes manifests must be owned by root.
CNTR-K8-000900 - The Kubernetes manifest files must have least privileges.
CNTR-K8-000910 - Kubernetes Controller Manager must disable profiling.
CNTR-K8-000930 - The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-000940 - The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).
CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.
CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites.
CNTR-K8-001420 - Kubernetes Kubelet must have the SSL Certificate Authority set.
CNTR-K8-001430 - Kubernetes Controller Manager must have the SSL Certificate Authority set.
CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication.
CNTR-K8-001450 - Kubernetes etcd must enable client authentication to secure service.
CNTR-K8-001490 - Kubernetes etcd must have a key file for secure communication.
CNTR-K8-001500 - Kubernetes etcd must have a certificate for communication.
CNTR-K8-001510 - Kubernetes etcd must have the SSL Certificate Authority set.
CNTR-K8-001540 - Kubernetes etcd must have peer-cert-file set for secure communication.
CNTR-K8-001550 - Kubernetes etcd must have a peer-key-file set for secure communication.
CNTR-K8-001620 - Kubernetes Kubelet must enable kernel protection.
CNTR-K8-002000 - The Kubernetes API server must have the ValidatingAdmissionWebhook enabled.
CNTR-K8-002001 - Kubernetes must enable PodSecurity admission controller on static pods and Kubelets.
CNTR-K8-002600 - Kubernetes API Server must configure timeouts to limit attack surface.
CNTR-K8-002620 - Kubernetes API Server must disable basic authentication to protect information in transit.
CNTR-K8-002700 - Kubernetes must remove old components after updated versions have been installed.
CNTR-K8-003120 - The Kubernetes component etcd must be owned by etcd.
CNTR-K8-003140 - The Kubernetes Kube Proxy kubeconfig must have file permissions set to 644 or more restrictive.
CNTR-K8-003150 - The Kubernetes Kube Proxy kubeconfig must be owned by root.
CNTR-K8-003260 - The Kubernetes etcd must have file permissions set to 644 or more restrictive.
CNTR-K8-003270 - The Kubernetes admin kubeconfig must have file permissions set to 644 or more restrictive.
CNTR-K8-003280 - Kubernetes API Server audit logs must be enabled.
CNTR-K8-003290 - The Kubernetes API Server must be set to audit log max size.
CNTR-K8-003300 - The Kubernetes API Server must be set to audit log maximum backup.
CNTR-K8-003320 - The Kubernetes API Server audit log path must be set.