Check: CNTR-K8-001620
Kubernetes STIG:
CNTR-K8-001620
(in versions v1 r6 through v1 r1)
Title
Kubernetes Kubelet must enable kernel protection. (Cat I impact)
Discussion
System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.
Check Content
Change to the /etc/sysconfig/ directory on the Kubernetes Master Node. Run the command: grep -i protect-kernel-defaults kubelet If the setting "protect-kernel-defaults" is set to false or not set in the Kubernetes Kubelet, this is a finding.
Fix Text
Edit the Kubernetes Kubelet file in the /etc/sysconfig directory on the Kubernetes Master Node. Set the argument "--protect-kernel-defaults" to "true". Reset Kubelet service using the following command: service kubelet restart
Additional Identifiers
Rule ID: SV-242434r825894_rule
Vulnerability ID: V-242434
Group Title: SRG-APP-000233-CTR-000585
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001084 |
The information system isolates security functions from nonsecurity functions. |
Controls
Number | Title |
---|---|
SC-3 |
Security Function Isolation |