1.2.21 Ensure that the --profiling argument is set to false

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Disable profiling, if not needed.

Rationale:

Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.

--profiling=false

Impact:

Profiling information would not be available.

Default Value:

By default, profiling is enabled.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|14, CSCv7|14

Plugin: Unix

Control ID: e60b133b6032bfa7e5a09435b5ff6fff72761f2ed488c720d977e2a297e7f2d9