Detections
Analytics
CNTR-R2-000550 - Rancher RKE2 must be configured with only essential configurations.
Information
It is important to disable any unnecessary components to reduce any potential attack surfaces.RKE2 allows disabling the following components:
- rke2-canal
- rke2-coredns
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server
If utilizing any of these components presents a security risk, or if any of the components are not required then they can be disabled by using the "disable" flag.
If any of the components are not required, they can be disabled by using the "disable" flag.
Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Disable unnecessary RKE2 components.Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag if any default RKE2 components are unnecessary.
Example:
disable: rke2-canal
disable: rke2-coredns
disable: rke2-ingress-nginx
disable: rke2-kube-proxy
disable: rke2-metrics-server
Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_RKE2_V2R5_STIG.zip
Item Details
Audit Name: DISA Rancher Government Solutions RKE2 STIG v2r5
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-7(2), 800-53|CM-7a., CAT|II, CCI|CCI-000381, CCI|CCI-001764, Rule-ID|SV-254565r960963_rule, STIG-ID|CNTR-R2-000550, Vuln-ID|V-254565
Plugin: Unix
Control ID: b1af8e234254176c739c22027085dbcb64316b3ae3f91a1e500f9b735da351a9