From a9c0a0e4723382747e7deb5a58262f99a70eaef9 Mon Sep 17 00:00:00 2001 From: Suzana Fernandes Date: Tue, 1 Jul 2025 18:42:05 +0000 Subject: [PATCH] Configuration for CIS Benchmark Containers and Hosts Standards Story: 2011337 Task: 52527 Story: 2011253 task: 52529 Change-Id: I6856a7194e103885e9bdf905a6eb7ecc34ee6fac Signed-off-by: Suzana Fernandes --- ...-for-containers-standards-3df0c174ffe2.rst | 94 ++++++ ...hmark-for-hosts-standards-bc2c3f582895.rst | 290 ++++++++++++++++++ .../index-security-kub-81153c1254c3.rst | 11 + doc/source/shared/abbrevs.txt | 1 + 4 files changed, 396 insertions(+) create mode 100644 doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2.rst create mode 100644 doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895.rst diff --git a/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2.rst b/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2.rst new file mode 100644 index 000000000..4c6104cfa --- /dev/null +++ b/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2.rst @@ -0,0 +1,94 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2: + +========================================================== +Configure System to CIS Benchmark for Containers Standards +========================================================== + +By default, |prod| complies with the |CIS| Benchmark for containers for most +specifications. Some specifications outlined in the |CIS| Benchmark that are +not met by default, |prod| can be configured to comply with these requirements. +However, these configurations may affect system performance. The relevant |CIS| +Benchmark specifications, along with the necessary |prod| configuration steps +to achieve compliance, are detailed below. Before applying these configurations +in a live deployment, carefully assess their performance implications in the +context of your specific security and operational needs. + +CIS-1.2.11 + Ensure that the admission control plugin AlwaysPullImages is set ``https://hub.armosec.io/docs/c-0123`` + +CIS-1.2.17 + Ensure that the API Server ``--profiling`` argument is set to ``false`` ``https://hub.armosec.io/docs/c-0129`` + +CIS-1.2.19 + Ensure that the API Server ``--audit-log-maxage`` argument is set to ``30`` or as appropriate ``https://hub.armosec.io/docs/c-0131`` + +CIS-3.2.1 + Ensure that a minimal audit policy is created ``https://hub.armosec.io/docs/c-0160`` + +These |CIS| specifications are not applied by default in |prod| and require you +to configure them if you want to comply to these |CIS| specifications. The +configuration mentioned in the table below are example minimal configurations +required for |CIS| specifications; you should configure them according to your +actual needs. + +.. table:: + :widths: auto + + +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + | Specification | Attribute | Semantic | Configuration | + +==========================+===========================+========================================================================================================================================+==========================================================================+ + | CIS- 1.2.11 | AlwaysPullImages | Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used | --enable-admission-plugins=..., NodeRestriction,AlwaysPullImages | + +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + | CIS- 1.2.17 | Profiling | Disabling profiling prevents exposure of sensitive performance data | --profiling=false | + +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + | CIS- 1.2.19 | audit-log-maxage | Specifies the maximum number of days to retain old audit logs | --audit-log-maxage=30 | + +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + | CIS- 3.2.1 | audit-policy-file | Defines minimal audit policy | --audit-policy-file= /etc/kubernetes/default-audit-policy.yaml | + +--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + +An example of the |prod| commands used to configure these parameters is available +in the script located at ``/usr/local/bin/apiserver_cis_compliance.sh``. For +testing purposes only, this script can be executed from the active controller +to configure the ``kube-apiserver`` in accordance with the |CIS| Benchmark +specifications mentioned above. + + +.. warning:: + + **Critical Warning:** + + - CIS-1.2.9 is not remediated. + + To adhere to this control point, it is required to configure ``enable-admission-plugins="EventRateLimit"``. + But this configuration causes the API server to fail during startup due to a + longstanding issue in Kubernetes. This is a known Kubernetes bug tracked + (Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861). + Therefore, it is not recommended to configure this until this bug is resolved. + + + **Minor Warning:** + + - CIS-1.2.12 is not applicable to the current version. + + To adhere to this control point, it is required to configure ``enable-admission-plugins= “SecurityContextDeny”``. + But this POD security policy is valid for Kubernetes versions prior to 1.24. + The minimum supported Kubernetes version in |prod| is v1.29, where ``SecurityContextDeny`` + POD security policy is deprecated and removed from the API server. + + + - CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool. + + The configuration required for this control point is already configured during + bootstrap, but the scanning tool may incorrectly flag it due to limitations in + runtime argument introspection. + + + - CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool. + + The configuration required for this control point is already configured during + bootstrap, but the scanning tool may incorrectly flag it due to limitations in + runtime argument introspection. + diff --git a/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895.rst b/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895.rst new file mode 100644 index 000000000..8ae6d1bd7 --- /dev/null +++ b/doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895.rst @@ -0,0 +1,290 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895: + +===================================================== +Configure System to CIS Benchmark for Hosts Standards +===================================================== + +By default, |prod| complies with the |CIS| Benchmark for hosts for most +specifications. Some specifications outlined in the |CIS| Benchmark that are +not met by default, |prod| can be configured to comply with these requirements. +However, these configurations may affect system performance. The relevant |CIS| +Benchmark specifications, along with the necessary |prod| configuration steps +to achieve compliance, are detailed below. Before applying these configurations +in a live deployment, carefully assess their performance implications in the +context of your specific security and operational needs. + +AppArmor +======== + +Related AppArmor CIS Benchmark Specifications +--------------------------------------------- + +- 1.3.1.2 Ensure AppArmor is enabled in the bootloader configuration. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v2.0.0_L1_Workstation.audit:6150e4d8e2c36c243c64fe6c74da03ad + +- 1.3.1.3 Ensure all AppArmor Profiles are in enforce or complain mode. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v2.0.0_L1_Workstation.audit:789ae5507200d59bd348767c3991ada0 + +- 1.3.1.4 Ensure all AppArmor Profiles are enforcing. + +Example Configuration for Compliance +------------------------------------ + +You need to enable AppArmor. By default, AppArmor is disabled, but it can be +enabled on a host using the CLI, as described in :ref:`enable-disable-apparmor-on-a-host-63a7a184d310`. + +.. note:: + + Enabling AppArmor can result in some performance degradation, see |org| + System Engineering Guidelines. + +For testing purposes or as an example, refer to the following script, which +contains commands to enable AppArmor as well as commands for an example AppArmor +configuration. + +.. code-block:: none + + /usr/local/bin/host-cis-benchmark-apparmor-setup.sh + +Auditd +====== + +Related Auditd CIS Benchmark Specifications +------------------------------------------- + +- 6.4.1.1 Ensure auditd packages are installed. + +- 6.4.1.2 Ensure auditd service is enabled and active. + +- 6.4.1.3 Ensure auditing for processes that start prior to auditd is enabled. + +- 6.4.1.4 Ensure audit_backlog_limit is sufficient. + +- 6.4.2.1 Ensure audit log storage size is configured. + +- 6.4.2.2 Ensure audit logs are not automatically deleted. + +- 6.4.2.3 Ensure system is disabled when audit logs are full. + +- 6.4.2.4 Ensure system warns when audit logs are low on space. + +- 6.4.3.1 Ensure changes to system administration scope (sudoers) is collected. + +- 6.4.3.10 Ensure successful file system mounts are collected. + +- 6.4.3.11 Ensure session initiation information is collected. + +- 6.4.3.12 Ensure login and logout events are collected. + +- 6.4.3.13 Ensure file deletion events by users are collected. + +- 6.4.3.14 Ensure events that modify the system's Mandatory Access Controls are collected. + +- 6.4.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded. + +- 6.4.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded. + +- 6.4.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded. + +- 6.4.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded. + +- 6.4.3.19 Ensure kernel module loading unloading and modification is collected. + +- 6.4.3.2 Ensure actions as another user are always logged. + +- 6.4.3.20 Ensure the audit configuration is immutable. + +- 6.4.3.4 Ensure events that modify date and time information are collected. + +- 6.4.3.5 Ensure events that modify the system's network environment are collected. + +- 6.4.3.6 Ensure use of privileged commands are collected. + +- 6.4.3.7 Ensure unsuccessful file access attempts are collected. + +- 6.4.3.8 Ensure events that modify user/group information are collected. + +- 6.4.3.9 Ensure discretionary access control permission modification events are collected. + +- 6.4.4.1 Ensure audit log files mode is configured. + +- 6.4.4.2 Ensure audit log files owner is configured. + +- 6.4.4.4 Ensure the audit log file directory mode is configured. + +Example Configuration for Compliance +------------------------------------ + +|prod| provides a containerized auditd solution, while |CIS| Benchmark checks +auditd configuration and rules on the host. Your configuration can be applied as +specified in the following steps. + +.. rubric:: |proc| + +#. Enable auditd in the Kernel. + + See Enable Auditd in the Kernel in :ref:`auditd-support-339a51d8ce16` documentation. + +#. Start the auditd system application. + + See Start Auditd System Application in :ref:`auditd-support-339a51d8ce16` documentation. + +#. Apply auditd configuration overrides. + + To align the system with CIS requirements, the ``auditd.conf`` configuration + overrides should be applied to modify the default settings. These changes can + be implemented using the system ``helm-override-update`` command following + the procedure outlined in the Auditd Configuration Overrides section in :ref:`auditd-support-339a51d8ce16` documentation. + + .. note:: + + The following ``auditd.conf`` file is for example or testing purposes only. + + :: + + auditdconf: |- + ########################################################################## + # + # auditd.conf + # + ########################################################################## + local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log + log_group = root + log_format = RAW + flush = INCREMENTAL_ASYNC + freq = 50 + max_log_file = 32 + num_logs = 5 + priority_boost = 4 + disp_qos = lossy + dispatcher = /sbin/audispd + name_format = NONE + ##name = mydomain + max_log_file_action = IGNORE + space_left = 75 + space_left_action = halt + ##verify_email = yes + ##action_mail_acct = root + admin_space_left = 50 + admin_space_left_action = halt + disk_full_action = halt + disk_error_action = halt + use_libwrap = yes + ##tcp_listen_port = 60 + ##tcp_listen_queue = 5 + ##tcp_max_per_addr = 1 + ##tcp_client_ports = 1024-65535 + ##tcp_client_max_idle = 0 + enable_krb5 = no + krb5_principal = auditd + ##krb5_key_file = /etc/audit/audit.key + distribute_network = no + overflow_action = halt + auditdrules: |- + ## First rule - delete all + -D + + ## Increase the buffers to survive stress events. + ## Make this bigger for busy systems + -b 8192 + + ## Set failure mode to syslog + -f 1 + -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts + -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts + -w /etc/sudoers -p wa -k scope + -w /etc/sudoers.d/ -p wa -k scope + -w /var/run/utmp -p wa -k session + -w /var/log/wtmp -p wa -k logins + -w /var/log/btmp -p wa -k logins + -w /var/log/lastlog -p wa -k logins + -w /var/run/faillock -p wa -k logins + -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete + -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete + -w /etc/apparmor/ -p wa -k MAC-policy + -w /etc/apparmor.d/ -p wa -k MAC-policy + ##Ensure successful and unsuccessful attempts to use the chcon command are recorded + -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k kernel_modules + -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules + -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change + -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change + -w /etc/localtime -p wa -k time-change + -e 2 + ## Monitor successful and unsuccessful attempts to use the setfacl command + -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + ## Monitor successful and unsuccessful attempts to use the chacl command + -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng + ## Monitor successful and unsuccessful attempts to use the usermod command + -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod + ## Monitor changes to system hostname and locale files + -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale + -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale + -w /etc/issue -p wa -k system-locale + -w /etc/issue.net -p wa -k system-locale + -w /etc/hosts -p wa -k system-locale + -w /etc/networks -p wa -k system-locale + -w /etc/network/ -p wa -k system-locale + -w /etc/netplan/ -p wa -k system-locale + -a always,exit -F path=/sysroot -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/rltraceroute6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/ssh -agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/ndisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/bin/rdisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/libexec/polkit -agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/sbin/lldpcli -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged + -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + -a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access + -a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access + -w /etc/passwd -p wa -k identity + -w /etc/gshadow -p wa -k identity + -w /etc/shadow -p wa -k identity + -w /etc/security/opasswd -p wa -k identity + -w /etc/nsswitch.conf -p wa -k identity + -w /etc/pam.conf -p wa -k identity + -w /etc/pam.d -p wa -k identity + ## Monitor events where UID != EUID (i.e., when a process is executed with elevated privileges) + -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation + -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation + -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +.. warning:: + + **Minor Warning:** + + The auditd system in |prod| runs in a container. As the |CIS| scanning tools + validate the configurations directly on the host (not within containers), all + audit-related control points may be incorrectly reported as failed, even when + the above steps are correctly configured. \ No newline at end of file diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index 688b6ef52..5169fef76 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -400,3 +400,14 @@ Appendix: Locally creating certificates create-certificates-locally-using-openssl create-certificates-locally-using-cert-manager-on-the-controller + +****************************************** +Appendix: Configurations for CIS benchmark +****************************************** + +.. toctree:: + :maxdepth: 1 + + configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895 + configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2 + diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt index 29f54793c..7f12f5cb5 100755 --- a/doc/source/shared/abbrevs.txt +++ b/doc/source/shared/abbrevs.txt @@ -25,6 +25,7 @@ .. |CA| replace:: :abbr:`CA (Certificate Authority)` .. |CAs| replace:: :abbr:`CAs (Certificate Authorities)` .. |CDI| replace:: :abbr:`CDI (Containerized Data Importer)` +.. |CIS| replace:: :abbr:`CIS (Center for Internet Security)` .. |CLI| replace:: :abbr:`CLI (Command Line Interface)` .. |CLIs| replace:: :abbr:`CLIs (Command Line Interfaces)` .. |CNAB| replace:: :abbr:`CNAB (Cloud Native Application Bundle)`