DISA STIG Kubernetes v2r1

Audit Details

Name: DISA STIG Kubernetes v2r1

Updated: 8/28/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 94

File Details

Filename: DISA_STIG_Kubernetes_v2r1.audit

Size: 193 kB

MD5: 03e526c25b3959592e500214813032f7
SHA256: c404f34402fbb3a7a58aca3278b921d932857454728c8f4577c8767f0d20c98b

Audit Items

DescriptionCategories
CNTR-K8-000150 - The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000170 - The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000180 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.

ACCESS CONTROL

CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.

ACCESS CONTROL

CNTR-K8-000270 - The Kubernetes API Server must enable Node,RBAC as the authorization mode.

ACCESS CONTROL

CNTR-K8-000290 - User-managed resources must be created in dedicated namespaces.

CONFIGURATION MANAGEMENT

CNTR-K8-000300 - The Kubernetes Scheduler must have secure binding.

ACCESS CONTROL

CNTR-K8-000310 - The Kubernetes Controller Manager must have secure binding.

ACCESS CONTROL

CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled.

ACCESS CONTROL

CNTR-K8-000330 - The Kubernetes Kubelet must have the 'readOnlyPort' flag disabled - readOnlyPort flag disabled.

ACCESS CONTROL

CNTR-K8-000340 - The Kubernetes API server must have the insecure bind address not set.

ACCESS CONTROL

CNTR-K8-000350 - The Kubernetes API server must have the secure port set.

ACCESS CONTROL

CNTR-K8-000360 - The Kubernetes API server must have anonymous authentication disabled.

ACCESS CONTROL

CNTR-K8-000370 - The Kubernetes Kubelet must have anonymous authentication disabled.

ACCESS CONTROL

CNTR-K8-000380 - The Kubernetes kubelet must enable explicit authorization.

ACCESS CONTROL

CNTR-K8-000400 - Kubernetes Worker Nodes must not have sshd service running.

ACCESS CONTROL

CNTR-K8-000410 - Kubernetes Worker Nodes must not have the sshd service enabled.

ACCESS CONTROL

CNTR-K8-000420 - Kubernetes dashboard must not be enabled.

ACCESS CONTROL

CNTR-K8-000430 - Kubernetes Kubectl cp command must give expected access and results.

ACCESS CONTROL

CNTR-K8-000440 - The Kubernetes kubelet staticPodPath must not enable static pods.

ACCESS CONTROL

CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - kubelet

ACCESS CONTROL

CNTR-K8-000450 - Kubernetes DynamicAuditing must not be enabled - manifest

ACCESS CONTROL

CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet

ACCESS CONTROL

CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - manifest

ACCESS CONTROL

CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled.

ACCESS CONTROL

CNTR-K8-000610 - The Kubernetes API Server must have an audit log path set.

AUDIT AND ACCOUNTABILITY

CNTR-K8-000700 - Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

CNTR-K8-000850 - Kubernetes Kubelet must deny hostname override.

CONFIGURATION MANAGEMENT

CNTR-K8-000860 - The Kubernetes manifests must be owned by root.

CONFIGURATION MANAGEMENT

CNTR-K8-000880 - The Kubernetes KubeletConfiguration file must be owned by root.

CONFIGURATION MANAGEMENT

CNTR-K8-000890 - The Kubernetes KubeletConfiguration files must have file permissions set to 644 or more restrictive.

CONFIGURATION MANAGEMENT

CNTR-K8-000900 - The Kubernetes manifest files must have least privileges.

CONFIGURATION MANAGEMENT

CNTR-K8-000910 - Kubernetes Controller Manager must disable profiling.

CONFIGURATION MANAGEMENT

CNTR-K8-000920 - The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000930 - The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000940 - The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000950 - The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

CONFIGURATION MANAGEMENT

CNTR-K8-000960 - The Kubernetes cluster must use non-privileged host ports for user pods.

CONFIGURATION MANAGEMENT

CNTR-K8-001160 - Secrets in Kubernetes must not be stored as environment variables.

IDENTIFICATION AND AUTHENTICATION

CNTR-K8-001300 - Kubernetes Kubelet must not disable timeouts.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001360 - Kubernetes must separate user functionality.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001400 - The Kubernetes API server must use approved cipher suites.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001410 - Kubernetes API Server must have the SSL Certificate Authority set.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001420 - Kubernetes Kubelet must have the SSL Certificate Authority set.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001430 - Kubernetes Controller Manager must have the SSL Certificate Authority set.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001440 - Kubernetes API Server must have a certificate for communication.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001450 - Kubernetes etcd must enable client authentication to secure service.

SYSTEM AND COMMUNICATIONS PROTECTION

CNTR-K8-001460 - Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.

SYSTEM AND COMMUNICATIONS PROTECTION