Title

Kubernetes Worker Nodes must not have the sshd service enabled. (Cat II impact)

Discussion

Worker Nodes are maintained and monitored by the Control Plane. Direct access and manipulation of the nodes must not take place by administrators. Worker nodes must be treated as immutable and updated via replacement rather than in-place upgrades.

Check Content

Log in to each worker node. Verify that the sshd service is not enabled. To validate the service is not enabled, run the command: systemctl is-enabled sshd.service If the service sshd is enabled, this is a finding. Note: If console access is not available, SSH access can be attempted. If the worker nodes cannot be reached, this requirement is "not a finding".

Fix Text

To disable the sshd service, run the command: chkconfig sshd off Note: If access to the worker node is through an SSH session, it is important to realize there are two requirements for disabling and stopping the sshd service that must be done during the same SSH session. Disabling the service must be performed first and then the service stopped to guarantee both settings can be made if the session is interrupted.

Additional Identifiers

Rule ID: SV-242394r879530_rule

Vulnerability ID: V-242394

Group Title: SRG-APP-000033-CTR-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.