1.2.17 Ensure that the --profiling argument is set to false

Information

Disable profiling, if not needed.

Rationale:

Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.

Impact:

Profiling information would not be available.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the below parameter.

--profiling=false

Default Value:

By default, profiling is enabled.

See Also

https://workbench.cisecurity.org/files/4111

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, CSCv7|6

Plugin: Unix

Control ID: 564f09e11518a8e48f9d22bf594c853d9a69b9d39cb3c6628e271b03a177ccd4