Check: CNTR-K8-000860
Kubernetes STIG:
CNTR-K8-000860
(in versions v2 r2 through v1 r7)
Title
The Kubernetes manifests must be owned by root. (Cat II impact)
Discussion
The manifest files contain the runtime configuration of the API server, proxy, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherit within Kubernetes with RBAC implemented.
Check Content
On the Control Plane, change to the /etc/kubernetes/manifest directory. Run the command: ls -l * Each manifest file must be owned by root:root. If any manifest file is not owned by root:root, this is a finding.
Fix Text
On the Control Plane, change to the /etc/kubernetes/manifest directory. Run the command: chown root:root * To verify the change took place, run the command: ls -l * All the manifest files should be owned by root:root.
Additional Identifiers
Rule ID: SV-242405r960960_rule
Vulnerability ID: V-242405
Group Title: SRG-APP-000133-CTR-000295
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001499 |
Limit privileges to change software resident within software libraries. |
Controls
Number | Title |
---|---|
CM-5(6) |
Limit Library Privileges |