starlingx/docs
Code Issues Proposed changes

Configuration for CIS Benchmark Containers and Hosts Standards

Browse Source 
Story: 2011337
Task: 52527

Story: 2011253
task: 52529

Change-Id: I6856a7194e103885e9bdf905a6eb7ecc34ee6fac
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
Suzana Fernandes
2025-07-01 18:42:05 +00:00
parent 1fa897faff
commit a9c0a0e472
4 changed files with 396 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2.rst Normal file
View File

@@ -0,0 +1,94 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2:
==========================================================
Configure System to CIS Benchmark for Containers Standards
==========================================================
By default, |prod| complies with the |CIS| Benchmark for containers for most
specifications. Some specifications outlined in the |CIS| Benchmark that are
not met by default, |prod| can be configured to comply with these requirements.
However, these configurations may affect system performance. The relevant |CIS|
Benchmark specifications, along with the necessary |prod| configuration steps
to achieve compliance, are detailed below. Before applying these configurations
in a live deployment, carefully assess their performance implications in the
context of your specific security and operational needs.
CIS-1.2.11
Ensure that the admission control plugin AlwaysPullImages is set ``https://hub.armosec.io/docs/c-0123``
CIS-1.2.17
Ensure that the API Server ``--profiling`` argument is set to ``false`` ``https://hub.armosec.io/docs/c-0129``
CIS-1.2.19
Ensure that the API Server ``--audit-log-maxage`` argument is set to ``30`` or as appropriate ``https://hub.armosec.io/docs/c-0131``
CIS-3.2.1
Ensure that a minimal audit policy is created ``https://hub.armosec.io/docs/c-0160``
These |CIS| specifications are not applied by default in |prod| and require you
to configure them if you want to comply to these |CIS| specifications. The
configuration mentioned in the table below are example minimal configurations
required for |CIS| specifications; you should configure them according to your
actual needs.
.. table::
:widths: auto
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| Specification | Attribute | Semantic | Configuration |
+==========================+===========================+========================================================================================================================================+==========================================================================+
| CIS- 1.2.11 | AlwaysPullImages | Forces the kubelet to always pull container images prior to starting containers, ensuring the latest image is used | --enable-admission-plugins=..., NodeRestriction,AlwaysPullImages |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| CIS- 1.2.17 | Profiling | Disabling profiling prevents exposure of sensitive performance data | --profiling=false |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| CIS- 1.2.19 | audit-log-maxage | Specifies the maximum number of days to retain old audit logs | --audit-log-maxage=30 |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
| CIS- 3.2.1 | audit-policy-file | Defines minimal audit policy | --audit-policy-file= /etc/kubernetes/default-audit-policy.yaml |
+--------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
An example of the |prod| commands used to configure these parameters is available
in the script located at ``/usr/local/bin/apiserver_cis_compliance.sh``. For
testing purposes only, this script can be executed from the active controller
to configure the ``kube-apiserver`` in accordance with the |CIS| Benchmark
specifications mentioned above.
.. warning::
**Critical Warning:**
- CIS-1.2.9 is not remediated.
To adhere to this control point, it is required to configure ``enable-admission-plugins="EventRateLimit"``.
But this configuration causes the API server to fail during startup due to a
longstanding issue in Kubernetes. This is a known Kubernetes bug tracked
(Kubernetes Issue #62861, https://github.com/kubernetes/kubernetes/issues/62861).
Therefore, it is not recommended to configure this until this bug is resolved.
**Minor Warning:**
- CIS-1.2.12 is not applicable to the current version.
To adhere to this control point, it is required to configure ``enable-admission-plugins= “SecurityContextDeny”``.
But this POD security policy is valid for Kubernetes versions prior to 1.24.
The minimum supported Kubernetes version in |prod| is v1.29, where ``SecurityContextDeny``
POD security policy is deprecated and removed from the API server.
- CIS-1.2.20 related Configuration (audit-log-maxbackup=10) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during
bootstrap, but the scanning tool may incorrectly flag it due to limitations in
runtime argument introspection.
- CIS-1.2.21 related Configuration (audit-log-maxsize=100) is present, but not detected by CIS scanning tool.
The configuration required for this control point is already configured during
bootstrap, but the scanning tool may incorrectly flag it due to limitations in
runtime argument introspection.

290
doc/source/security/kubernetes/configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895.rst Normal file
View File

@@ -0,0 +1,290 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895:
=====================================================
Configure System to CIS Benchmark for Hosts Standards
=====================================================
By default, |prod| complies with the |CIS| Benchmark for hosts for most
specifications. Some specifications outlined in the |CIS| Benchmark that are
not met by default, |prod| can be configured to comply with these requirements.
However, these configurations may affect system performance. The relevant |CIS|
Benchmark specifications, along with the necessary |prod| configuration steps
to achieve compliance, are detailed below. Before applying these configurations
in a live deployment, carefully assess their performance implications in the
context of your specific security and operational needs.
AppArmor
========
Related AppArmor CIS Benchmark Specifications
---------------------------------------------
- 1.3.1.2 Ensure AppArmor is enabled in the bootloader configuration. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v2.0.0_L1_Workstation.audit:6150e4d8e2c36c243c64fe6c74da03ad
- 1.3.1.3 Ensure all AppArmor Profiles are in enforce or complain mode. https://www.tenable.com/audits/items/CIS_Debian_Linux_11_v2.0.0_L1_Workstation.audit:789ae5507200d59bd348767c3991ada0
- 1.3.1.4 Ensure all AppArmor Profiles are enforcing.
Example Configuration for Compliance
------------------------------------
You need to enable AppArmor. By default, AppArmor is disabled, but it can be
enabled on a host using the CLI, as described in :ref:`enable-disable-apparmor-on-a-host-63a7a184d310`.
.. note::
Enabling AppArmor can result in some performance degradation, see |org|
System Engineering Guidelines.
For testing purposes or as an example, refer to the following script, which
contains commands to enable AppArmor as well as commands for an example AppArmor
configuration.
.. code-block:: none
/usr/local/bin/host-cis-benchmark-apparmor-setup.sh <host_name>
Auditd
======
Related Auditd CIS Benchmark Specifications
-------------------------------------------
- 6.4.1.1 Ensure auditd packages are installed.
- 6.4.1.2 Ensure auditd service is enabled and active.
- 6.4.1.3 Ensure auditing for processes that start prior to auditd is enabled.
- 6.4.1.4 Ensure audit_backlog_limit is sufficient.
- 6.4.2.1 Ensure audit log storage size is configured.
- 6.4.2.2 Ensure audit logs are not automatically deleted.
- 6.4.2.3 Ensure system is disabled when audit logs are full.
- 6.4.2.4 Ensure system warns when audit logs are low on space.
- 6.4.3.1 Ensure changes to system administration scope (sudoers) is collected.
- 6.4.3.10 Ensure successful file system mounts are collected.
- 6.4.3.11 Ensure session initiation information is collected.
- 6.4.3.12 Ensure login and logout events are collected.
- 6.4.3.13 Ensure file deletion events by users are collected.
- 6.4.3.14 Ensure events that modify the system's Mandatory Access Controls are collected.
- 6.4.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded.
- 6.4.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded.
- 6.4.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded.
- 6.4.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded.
- 6.4.3.19 Ensure kernel module loading unloading and modification is collected.
- 6.4.3.2 Ensure actions as another user are always logged.
- 6.4.3.20 Ensure the audit configuration is immutable.
- 6.4.3.4 Ensure events that modify date and time information are collected.
- 6.4.3.5 Ensure events that modify the system's network environment are collected.
- 6.4.3.6 Ensure use of privileged commands are collected.
- 6.4.3.7 Ensure unsuccessful file access attempts are collected.
- 6.4.3.8 Ensure events that modify user/group information are collected.
- 6.4.3.9 Ensure discretionary access control permission modification events are collected.
- 6.4.4.1 Ensure audit log files mode is configured.
- 6.4.4.2 Ensure audit log files owner is configured.
- 6.4.4.4 Ensure the audit log file directory mode is configured.
Example Configuration for Compliance
------------------------------------
|prod| provides a containerized auditd solution, while |CIS| Benchmark checks
auditd configuration and rules on the host. Your configuration can be applied as
specified in the following steps.
.. rubric:: |proc|
#. Enable auditd in the Kernel.
See Enable Auditd in the Kernel in :ref:`auditd-support-339a51d8ce16` documentation.
#. Start the auditd system application.
See Start Auditd System Application in :ref:`auditd-support-339a51d8ce16` documentation.
#. Apply auditd configuration overrides.
To align the system with CIS requirements, the ``auditd.conf`` configuration
overrides should be applied to modify the default settings. These changes can
be implemented using the system ``helm-override-update`` command following
the procedure outlined in the Auditd Configuration Overrides section in :ref:`auditd-support-339a51d8ce16` documentation.
.. note::
The following ``auditd.conf`` file is for example or testing purposes only.
::
auditdconf: |-
##########################################################################
#
# auditd.conf
#
##########################################################################
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 32
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = IGNORE
space_left = 75
space_left_action = halt
##verify_email = yes
##action_mail_acct = root
admin_space_left = 50
admin_space_left_action = halt
disk_full_action = halt
disk_error_action = halt
use_libwrap = yes
##tcp_listen_port = 60
##tcp_listen_queue = 5
##tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
##tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
overflow_action = halt
auditdrules: |-
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
##Ensure successful and unsuccessful attempts to use the chcon command are recorded
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-e 2
## Monitor successful and unsuccessful attempts to use the setfacl command
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
## Monitor successful and unsuccessful attempts to use the chacl command
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
## Monitor successful and unsuccessful attempts to use the usermod command
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod
## Monitor changes to system hostname and locale files
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/networks -p wa -k system-locale
-w /etc/network/ -p wa -k system-locale
-w /etc/netplan/ -p wa -k system-locale
-a always,exit -F path=/sysroot -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/rltraceroute6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/ssh -agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/ndisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/rdisc6 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/polkit -agent-helper-1 -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/lldpcli -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/nsswitch.conf -p wa -k identity
-w /etc/pam.conf -p wa -k identity
-w /etc/pam.d -p wa -k identity
## Monitor events where UID != EUID (i.e., when a process is executed with elevated privileges)
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
.. warning::
**Minor Warning:**
The auditd system in |prod| runs in a container. As the |CIS| scanning tools
validate the configurations directly on the host (not within containers), all
audit-related control points may be incorrectly reported as failed, even when
the above steps are correctly configured.

11
doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
View File

@@ -400,3 +400,14 @@ Appendix: Locally creating certificates
create-certificates-locally-using-openssl
create-certificates-locally-using-cert-manager-on-the-controller
******************************************
Appendix: Configurations for CIS benchmark
******************************************
.. toctree::
:maxdepth: 1
configuring-system-to-cis-benchmark-for-hosts-standards-bc2c3f582895
configuring-system-to-cis-benchmark-for-containers-standards-3df0c174ffe2

1
doc/source/shared/abbrevs.txt
View File

@@ -25,6 +25,7 @@
.. |CA| replace:: :abbr:`CA (Certificate Authority)`
.. |CAs| replace:: :abbr:`CAs (Certificate Authorities)`
.. |CDI| replace:: :abbr:`CDI (Containerized Data Importer)`
.. |CIS| replace:: :abbr:`CIS (Center for Internet Security)`
.. |CLI| replace:: :abbr:`CLI (Command Line Interface)`
.. |CLIs| replace:: :abbr:`CLIs (Command Line Interfaces)`
.. |CNAB| replace:: :abbr:`CNAB (Cloud Native Application Bundle)`