mitre / k8s-node-stig-baseline Goto Github PK

InSpec profile to validate the secure configuration of a Kubernetes node against DISA's Kubernetes Secure Technical Implementation Guide (STIG) Version 1 Release 1.

It is intended and recommended that InSpec and this profile be run from a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely using the SSH transport.

For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.

Latest versions and installation options are available at the InSpec site.

The Kubernetes STIG includes security requirements for both the Kubernetes cluster itself and the nodes that comprise it. This profile includes the checks for the node portion. It is intended to be used in conjunction with the Kubernetes Cluster profile that performs automated compliance checks of the Kubernetes cluster.

• Kubernetes Platform deployment
• Access to the Kubernetes Node over ssh
• Account providing appropriate permissions to perform audit scan

• git
• InSpec

Go to https://www.inspec.io/downloads/ and consult the documentation for your Operating System to download and install InSpec.

inspec --version

The default values for profile inputs are given in inspec.yml. These values can be overridden by creating an inputs.yml file -- see the InSpec documentation for inputs.

  - name: manifests_path
    description: 'Path to Kubernetes manifest files on the target node'
    type: string
    value: '/etc/kubernetes/manifests'
    required: true

  - name: pki_path
    description: 'Path to Kubernetes PKI files on the target node'
    type: string
    value: '/etc/kubernetes/pki/'
    required: true

  - name: kubeadm_path
    description: 'Path to kubeadm file on the target node'
    type: string
    value: '/usr/local/bin/kubeadm'
    required: true

  - name: kubectl_path
    description: 'Path to kubectl on the target node'
    type: string
    value: '/usr/local/bin/kubectl'
    required: true

  - name: kubernetes_conf_files
    description: 'Path to Kubernetes conf files on the target node'
    type: array
    value:
        - /etc/kubernetes/admin.conf
        - /etc/kubernetes/scheduler.conf
        - /etc/kubernetes/controller-manager.conf
    required: true

(See: https://www.inspec.io/docs/reference/cli/)

Execute the Kubernetes Node profile on each node in the cluster. The profile will adapt its checks based on the Kubernetes components located on the node.

Note: Replace the profile's directory name - e.g. - <Profile> with . if currently in the profile's root directory.

inspec exec <Profile> -t ssh://TARGET_USERNAME@TARGET_IP:TARGET_PORT --sudo -i <your_PEM_KEY> --controls=<control_id> --show-progress

inspec exec <Profile> -t ssh://TARGET_USERNAME@TARGET_IP:TARGET_PORT --sudo -i <your_PEM_KEY> --controls=<control_id> --show-progress --reporter json:results.json

inspec exec <Profile>  -t ssh://TARGET_USERNAME@TARGET_IP:TARGET_PORT --sudo -i <your_PEM_KEY> --show-progress

inspec exec <Profile> -t ssh://TARGET_USERNAME@TARGET_IP:TARGET_PORT --sudo -i <your_PEM_KEY> --show-progress  --reporter json:results.json

Kubernetes Components

This profile evaluates the STIG compliance of the following Kubernetes Components by evaluating their process configuration:

• kube-apiserver
• kube-controller-manager
• kube-scheduler
• kubelet
• kube-proxy
• etcd

If these components are not in use in the target cluster or named differently, the profile has to be adapted for the target K8S distribution using an InSpec Profile Overlay.