CIS Hardening Guide

This document outlines the configurations and controls required to address controls from the Center for Internet Security (CIS).

For more details about evaluating a hardened cluster against the official CIS benchmark, refer to the appropriate CIS Self-Assessment Guide:

CIS Self-Assessment Guide v1.8 for Kubernetes v1.26 and newer

The Kubernetes and Operating System (Ubuntu 22 LTS) is "hardened by default" and pass the majority of the CIS controls without modification. There are a few notable exceptions to this that require manual intervention to fully pass the CIS Benchmark:

Host-level

Partitions

Partition	Compliant	Comment
/var	yes	Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.
/var/log	yes	There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.
/boot	yes
/home	yes	The system is intended to support local users (at least one for Kubernetes), create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home .
/tmp	yes	Making /tmp its own file system allows to set the noexec option on the mount, making /tmp useless for an attacker to install executable code.
/srv	no	Kubernetes irrelevant
/opt	no	Kubernetes irrelevant
/usr	no	to justified

CIS Level 1

Recommendation	Title	Compliant	Comment
1.1.1.1	Ensure cramfs kernel module is not available	Yes
1.1.1.2	Ensure freevxfs kernel module is not available	Yes
1.1.1.3	Ensure hfs kernel module is not available	Yes
1.1.1.4	Ensure hfsplus kernel module is not available	Yes
1.1.1.5	Ensure jffs2 kernel module is not available	Yes
1.1.1.8	Ensure usb-storage kernel module is not available	Yes
1.1.2.1.1	Ensure /tmp is a separate partition	Yes
1.1.2.1.2	Ensure nodev option set on /tmp partition	Yes
1.1.2.1.3	Ensure nosuid option set on /tmp partition	Yes
1.1.2.1.4	Ensure noexec option set on /tmp partition	Yes
1.1.2.2.1	Ensure /dev/shm is a separate partition	Yes
1.1.2.2.2	Ensure nodev option set on /dev/shm partition	Yes
1.1.2.2.3	Ensure nosuid option set on /dev/shm partition	Yes
1.1.2.2.4	Ensure noexec option set on /dev/shm partition	Yes
1.1.2.3.2	Ensure nodev option set on /home partition	Yes
1.1.2.3.3	Ensure nosuid option set on /home partition	Yes
1.1.2.4.2	Ensure nodev option set on /var partition	Yes
1.1.2.4.3	Ensure nosuid option set on /var partition	Yes
1.1.2.5.2	Ensure nodev option set on /var/tmp partition	Yes
1.1.2.5.3	Ensure nosuid option set on /var/tmp partition	Yes
1.1.2.5.4	Ensure noexec option set on /var/tmp partition	Yes
1.1.2.6.2	Ensure nodev option set on /var/log partition	Yes
1.1.2.6.3	Ensure nosuid option set on /var/log partition	Yes
1.1.2.6.4	Ensure noexec option set on /var/log partition	Yes
1.1.2.7.2	Ensure nodev option set on /var/log/audit partition	Yes
1.1.2.7.3	Ensure nosuid option set on /var/log/audit partition	Yes
1.1.2.7.4	Ensure noexec option set on /var/log/audit partition	Yes
1.2.1.1	Ensure GPG keys are configured	No	Configuration dependent
1.2.1.2	Ensure package manager repositories are configured	No	Configuration dependent
1.2.2.1	Ensure updates, patches, and additional security software are installed	No	Configuration dependent
1.3.1.1	Ensure AppArmor is installed	Yes
1.3.1.2	Ensure AppArmor is enabled in the bootloader configuration	Yes
1.3.1.3	Ensure all AppArmor Profiles are in enforce or complain mode	Yes
1.4.1	Ensure bootloader password is set	No	Os will not be able to boot
1.4.2	Ensure access to bootloader config is configured	Yes
1.5.1	Ensure address space layout randomization is enabled	Yes
1.5.2	Ensure ptrace_scope is restricted	Yes	Default value, script does not enforce
1.5.3	Ensure core dumps are restricted	Yes
1.5.4	Ensure prelink is not installed	Yes
1.5.5	Ensure Automatic Error Reporting is not enabled	Yes
1.6.1	Ensure message of the day is configured properly	Yes	Message to be configured
1.6.2	Ensure local login warning banner is configured properly	Yes	Message to be configured
1.6.3	Ensure remote login warning banner is configured properly	Yes	Message to be configured
1.6.4	Ensure access to /etc/motd is configured	Yes
1.6.5	Ensure access to /etc/issue is configured	Yes
1.6.6	Ensure access to /etc/issue.net is configured	Yes
1.7.2	Ensure GDM login banner is configured	Yes
1.7.3	Ensure GDM disable-user-list option is enabled	Yes
1.7.4	Ensure GDM screen locks when the user is idle	Yes
1.7.5	Ensure GDM screen locks cannot be overridden	Yes
1.7.6	Ensure GDM automatic mounting of removable media is disabled	Yes
1.7.7	Ensure GDM disabling automatic mounting of removable media is not overridden	Yes
1.7.8	Ensure GDM autorun-never is enabled	Yes
1.7.9	Ensure GDM autorun-never is not overridden	Yes
1.7.10	Ensure XDCMP is not enabled	Yes
2.1.1	Ensure autofs services are not in use	Yes
2.1.2	Ensure avahi daemon services are not in use	Yes
2.1.3	Ensure dhcp server services are not in use	Yes
2.1.4	Ensure dns server services are not in use	Yes
2.1.5	Ensure dnsmasq services are not in use	Yes
2.1.6	Ensure ftp server services are not in use	Yes
2.1.7	Ensure ldap server services are not in use	Yes
2.1.8	Ensure message access server services are not in use	Yes
2.1.9	Ensure network file system services are not in use	Yes
2.1.10	Ensure nis server services are not in use	Yes
2.1.11	Ensure print server services are not in use	Yes
2.1.12	Ensure rpcbind services are not in use	Yes
2.1.13	Ensure rsync services are not in use	Yes
2.1.14	Ensure samba file server services are not in use	Yes
2.1.15	Ensure snmp services are not in use	Yes
2.1.16	Ensure tftp server services are not in use	Yes	Minimal installation not installed
2.1.17	Ensure web proxy server services are not in use	Yes
2.1.18	Ensure web server services are not in use	Yes
2.1.19	Ensure xinetd services are not in use	Yes	Minimal installation not installed
2.1.21	Ensure mail transfer agent is configured for local-only mode	Yes
2.1.22	Ensure only approved services are listening on a network interface	Yes	Minimal installation
2.2.1	Ensure NIS Client is not installed	Yes
2.2.2	Ensure rsh client is not installed	Yes
2.2.3	Ensure talk client is not installed	Yes
2.2.4	Ensure telnet client is not installed	Yes
2.2.5	Ensure ldap client is not installed	No	Required for ssh bastion
2.2.6	Ensure ftp client is not installed	Yes
2.3.1.1	Ensure a single time synchronization daemon is in use	Part	SCAP does not check if only one daemon is used, minimal install ony use systemd-timesyncd
2.3.2.1	Ensure systemd-timesyncd configured with authorized timeserver	No
2.3.2.2	Ensure systemd-timesyncd is enabled and running	Yes
2.3.3.1	Ensure chrony is configured with authorized timeserver	No	systemd-timesyncd installed
2.3.3.2	Ensure chrony is running as user chrony	No	systemd-timesyncd installed
2.3.3.3	Ensure chrony is enabled and running	No	systemd-timesyncd installed
2.4.1.1	Ensure cron daemon is enabled and active	Yes
2.4.1.2	Ensure permissions on /etc/crontab are configured	Yes
2.4.1.3	Ensure permissions on /etc/cron.hourly are configured	Yes
2.4.1.4	Ensure permissions on /etc/cron.daily are configured	Yes
2.4.1.5	Ensure permissions on /etc/cron.weekly are configured	Yes
2.4.1.6	Ensure permissions on /etc/cron.monthly are configured	Yes
2.4.1.7	Ensure permissions on /etc/cron.d are configured	Yes
2.4.1.8	Ensure crontab is restricted to authorized users	Yes
2.4.2.1	Ensure at is restricted to authorized users	Yes
3.1.1	Ensure IPv6 status is identified	Yes	IPv6 is enabled by default
3.1.2	Ensure wireless interfaces are disabled	Yes
3.1.3	Ensure bluetooth services are not in use	Yes	Minimal installation, not installed
3.3.1	Ensure ip forwarding is disabled	No	Required for kubernetes to work
3.3.2	Ensure packet redirect sending is disabled	Yes
3.3.3	Ensure bogus icmp responses are ignored	Yes
3.3.4	Ensure broadcast icmp requests are ignored	Yes
3.3.5	Ensure icmp redirects are not accepted	Yes
3.3.6	Ensure secure icmp redirects are not accepted	Yes
3.3.7	Ensure reverse path filtering is enabled	No	Required for kubernetes to work
3.3.8	Ensure source routed packets are not accepted	Yes
3.3.9	Ensure suspicious packets are logged	Yes
3.3.10	Ensure tcp syn cookies is enabled	Yes
3.3.11	Ensure ipv6 router advertisements are not accepted	Yes
4.1.1	Ensure ufw is installed	No	nftables installed
4.1.2	Ensure iptables-persistent is not installed with ufw	Yes	nftables installed
4.1.3	Ensure ufw service is enabled	No	nftables installed
4.1.4	Ensure ufw loopback traffic is configured	No	nftables installed
4.1.5	Ensure ufw outbound connections are configured	No	nftables installed
4.1.6	Ensure ufw firewall rules exist for all open ports	No	nftables installed
4.1.7	Ensure ufw default deny firewall policy	No	nftables installed
4.2.1	Ensure nftables is installed	Yes
4.2.2	Ensure ufw is uninstalled or disabled with nftables	Yes
4.2.3	Ensure iptables are flushed with nftables	Yes
4.2.4	Ensure a nftables table exists	Yes
4.2.5	Ensure nftables base chains exist	Yes
4.2.6	Ensure nftables loopback traffic is configured	Yes
4.2.7	Ensure nftables outbound and established connections are configured	No	Not in hardening script
4.2.8	Ensure nftables default deny firewall policy	No	Not in hardening script
4.2.9	Ensure nftables service is enabled	Yes
4.2.10	Ensure nftables rules are permanent	Yes
4.3.1.1	Ensure iptables packages are installed	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.1.2	Ensure nftables is not installed with iptables	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.1.3	Ensure ufw is uninstalled or disabled with iptables	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.2.1	Ensure iptables default deny firewall policy	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.2.2	Ensure iptables loopback traffic is configured	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.2.3	Ensure iptables outbound and established connections are configured	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.2.4	Ensure iptables firewall rules exist for all open ports	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.3.1	Ensure ip6tables default deny firewall policy	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.3.2	Ensure ip6tables loopback traffic is configured	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.3.3	Ensure ip6tables outbound and established connections are configured	No	nftables installed in place must be removed manually `apt purge -y iptables`
4.3.3.4	Ensure ip6tables firewall rules exist for all open ports	No	nftables installed in place must be removed manually `apt purge -y iptables`
5.1.1	Ensure permissions on /etc/ssh/sshd_config are configured	Yes
5.1.2	Ensure permissions on SSH private host key files are configured	Yes
5.1.3	Ensure permissions on SSH public host key files are configured	Yes
5.1.4	Ensure sshd access is configured	No	Directives AllowUsers,AllowGroups,DenyUsers and DenyGroups need to be configured
5.1.5	Ensure sshd Banner is configured	Yes
5.1.6	Ensure sshd Ciphers are configured	Yes
5.1.7	Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured	Yes
5.1.10	Ensure sshd HostbasedAuthentication is disabled	Yes
5.1.11	Ensure sshd IgnoreRhosts is enabled	Yes
5.1.12	Ensure sshd KexAlgorithms is configured	Yes
5.1.13	Ensure sshd LoginGraceTime is configured	Yes
5.1.14	Ensure sshd LogLevel is configured	Yes
5.1.15	Ensure sshd MACs are configured	Yes
5.1.16	Ensure sshd MaxAuthTries is configured	Yes
5.1.17	Ensure sshd MaxSessions is configured	Yes
5.1.18	Ensure sshd MaxStartups is configured	Yes
5.1.19	Ensure sshd PermitEmptyPasswords is disabled	Yes
5.1.20	Ensure sshd PermitRootLogin is disabled	Yes
5.1.21	Ensure sshd PermitUserEnvironment is disabled	Yes
5.1.22	Ensure sshd UsePAM is enabled	Yes
5.2.1	Ensure sudo is installed	Yes
5.2.2	Ensure sudo commands use pty	Yes
5.2.3	Ensure sudo log file exists	Yes
5.2.5	Ensure re-authentication for privilege escalation is not disabled globally	Yes
5.2.6	Ensure sudo authentication timeout is configured correctly	Yes
5.2.7	Ensure access to the su command is restricted	Yes
5.3.1.1	Ensure latest version of pam is installed	No	Does not upgrade
5.3.1.2	Ensure libpam-modules is installed	Yes
5.3.1.3	Ensure libpam-pwquality is installed	Yes
5.3.2.1	Ensure pam_unix module is enabled	Yes
5.3.2.2	Ensure pam_faillock module is enabled	Yes
5.3.2.3	Ensure pam_pwquality module is enabled	Yes
5.3.2.4	Ensure pam_pwhistory module is enabled	Yes
5.3.3.1.1	Ensure password failed attempts lockout is configured	Yes
5.3.3.1.2	Ensure password unlock time is configured	Yes
5.3.3.2.1	Ensure password number of changed characters is configured	Yes
5.3.3.2.2	Ensure minimum password length is configured	Yes
5.3.3.2.3	Ensure password complexity is configured	Yes
5.3.3.2.4	Ensure password same consecutive characters is configured	No	Not in hardening script
5.3.3.2.5	Ensure password maximum sequential characters is configured	No	Not in hardening script
5.3.3.2.6	Ensure password dictionary check is enabled	Yes
5.3.3.2.7	Ensure password quality checking is enforced	Yes
5.3.3.2.8	Ensure password quality is enforced for the root user	Yes
5.3.3.3.1	Ensure password history remember is configured	No	Not in hardening script
5.3.3.3.2	Ensure password history is enforced for the root user	No	Not in hardening script
5.3.3.3.3	Ensure pam_pwhistory includes use_authtok	No	Not in hardening script
5.3.3.4.1	Ensure pam_unix does not include nullok	No	Not in hardening script
5.3.3.4.2	Ensure pam_unix does not include remember	No	Not in hardening script
5.3.3.4.3	Ensure pam_unix includes a strong password hashing algorithm	Yes
5.3.3.4.4	Ensure pam_unix includes use_authtok	Yes
5.4.1.1	Ensure password expiration is configured	Yes
5.4.1.3	Ensure password expiration warning days is configured	Yes
5.4.1.4	Ensure strong password hashing algorithm is configured	Yes
5.4.1.5	Ensure inactive password lock is configured	Yes
5.4.1.6	Ensure all users last password change date is in the past	Yes
5.4.2.1	Ensure root is the only UID 0 account	Yes
5.4.2.2	Ensure root is the only GID 0 account	Yes
5.4.2.3	Ensure group root is the only GID 0 group	Yes
5.4.2.4	Ensure root password is set	No	Needs to be configured manually
5.4.2.5	Ensure root path integrity	Yes
5.4.2.6	Ensure root user umask is configured	Yes
5.4.2.7	Ensure system accounts do not have a valid login shell	Yes
5.4.2.8	Ensure accounts without a valid login shell are locked	No	Accounts need to be validated manually
5.4.3.2	Ensure default user shell timeout is configured	Yes
5.4.3.3	Ensure default user umask is configured	Yes
6.1.1	Ensure AIDE is installed	No	Not installed
6.1.2	Ensure filesystem integrity is regularly checked	No	Aide Not installed
6.2.1.1.1	Ensure journald service is enabled and active	Yes
6.2.1.1.2	Ensure journald log file access is configured	No	Uses default configuration
6.2.1.1.3	Ensure journald log file rotation is configured	No	Uses default configuration
6.2.1.1.4	Ensure journald ForwardToSyslog is disabled	Yes
6.2.1.1.5	Ensure journald Storage is configured	Yes
6.2.1.1.6	Ensure journald Compress is configured	Yes
6.2.1.2.1	Ensure systemd-journal-remote is installed	Yes
6.2.1.2.2	Ensure systemd-journal-remote authentication is configured	No	Not in hardening script
6.2.1.2.3	Ensure systemd-journal-upload is enabled and active	No	Not in hardening script
6.2.1.2.4	Ensure systemd-journal-remote service is not in use	Yes
6.2.2.1	Ensure access to all logfiles has been configured	Yes
7.1.1	Ensure permissions on /etc/passwd are configured	Yes
7.1.2	Ensure permissions on /etc/passwd- are configured	Yes
7.1.3	Ensure permissions on /etc/group are configured	Yes
7.1.4	Ensure permissions on /etc/group- are configured	Yes
7.1.5	Ensure permissions on /etc/shadow are configured	Yes
7.1.6	Ensure permissions on /etc/shadow- are configured	Yes
7.1.7	Ensure permissions on /etc/gshadow are configured	Yes
7.1.8	Ensure permissions on /etc/gshadow- are configured	Yes
7.1.9	Ensure permissions on /etc/shells are configured	Yes
7.1.10	Ensure permissions on /etc/security/opasswd are configured	Yes
7.1.11	Ensure world writable files and directories are secured	Yes
7.1.12	Ensure no files or directories without an owner and a group exist	Yes
7.1.13	Ensure SUID and SGID files are reviewed	Yes
7.2.1	Ensure accounts in /etc/passwd use shadowed passwords	Yes
7.2.2	Ensure /etc/shadow password fields are not empty	Yes
7.2.3	Ensure all groups in /etc/passwd exist in /etc/group	Yes
7.2.4	Ensure shadow group is empty	Yes
7.2.5	Ensure no duplicate UIDs exist	Yes
7.2.6	Ensure no duplicate GIDs exist	Yes
7.2.7	Ensure no duplicate user names exist	Yes
7.2.8	Ensure no duplicate group names exist	Yes
7.2.9	Ensure local interactive user home directories are configured	Yes
7.2.10	Ensure local interactive user dot files access is configured	Yes

Kubelet parameter `protect-kernel-defaults` is set to `true`

This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults.

Etcd is configured properly

The CIS Benchmark requires that the etcd data directory be owned by the etcd user and group. This implicitly requires the etcd process run as the host-level etcd user.

etcd` user and group exists on the host.
etcd's data directory with etcd as the user and group owner.
etcd process is run as the etcd user and group by setting the etcd static pod's SecurityContext appropriately.

Configuration

v1.25 and Newer

Generic CIS configuration

RKE2 Minors	Applicable CIS Benchmark	Profile Flag
1.27+	1.8	`cis`

Kubernetes runtime requirements

The runtime requirements to pass the CIS Benchmark are centered around pod security and network policies.

Pod Security

RKE2 always runs with some amount of pod security.

v1.25 and Newer

On v1.25 and newer, Pod Security Admission (PSA) are used for pod security. A default Pod Security Admission config file will be added to the cluster upon startup as follows:

With the cis profile:

RKE2 will apply a restricted pod security standard via a configuration file which will enforce restricted mode throughout the cluster with an exception to the kube-system, cis-operator-system namespaces to ensure successful operation of system pods.

See the Pod Security Policies page for more details.

note

The Kubernetes control plane components and critical additions such as CNI, DNS, and Ingress are ran as pods in the kube-system namespace. Therefore, this namespace will have a policy that is less restrictive so that these components can run properly.

Network Policies

RKE2 will put NetworkPolicies in place that passes the CIS Benchmark for Kubernetes' built-in namespaces. These namespaces are: kube-system, kube-public, and default.

The NetworkPolicy used will only allow pods within the same namespace to talk to each other. There are some notable exceptions to this is that it allows DNS requests to be resolved.

DNS requests are allowed to reach the dns server
HTTP/s requests are allowed to reach the ingress-nginx service
HTTPs requests are allowed to reach the metrics-server
Requests to the ingress-nginx webhook on the specified pod by the ingress-nginx pod (normally 8443)
HTTPs requests to the rke2-snapshot-validation-webhook

Operator Intervention Required

Operators must manage network policies as normal for additional namespaces that are created.

Configure `default` service account

Set automountServiceAccountToken to false for default service accounts

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

RKE2 will automatically set the value correctly for kube-system, cis-operator-system, kube-node-lease namespaces.

API Server audit configuration

CIS requirements 1.2.22 to 1.2.25 are related to configuring audit logs for the API Server. When RKE2 is started with the profile flag set, it will automatically configure hardened --audit-log- parameters in the API Server to pass those CIS checks.

Default audit policy is configured to not log requests in the API Server. This is done to allow cluster operators flexibility to customize an audit policy that suits their auditing requirements and needs, as these are specific to each users' environment and policies.

A default audit policy is created by RKE2 when started with the profile flag set. The policy is defined in /etc/rancher/rke2/audit-policy.yaml.

apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
  creationTimestamp: null
rules:
- level: None

Known issues

The following are controls that default RKE2 currently does not pass. Each gap will be explained and how it is addressed.

Control 1.1.12

Ensure that the etcd data directory ownership is set to etcd:etcd.

Rationale
etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by etcd:etcd.

Remediation
This can be remediated by creating an etcd user and group as described above.

Control 5.1.5

Ensure that default service accounts are not actively used

Rationale
Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod.

Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account.

The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

This can be remediated by updating the automountServiceAccountToken field to false for the default service account in each namespace.

Conclusion

If you have followed this guide, your RKE2 cluster will be configured to pass the CIS Kubernetes Benchmark. You can review our CIS Self-Assessment Guides to understand how we verified each of the benchmarks and how you can do the same on your cluster.

Host-level​

Partitions​

CIS Level 1​

Kubelet parameter protect-kernel-defaults is set to true​

Etcd is configured properly​

Configuration​

Generic CIS configuration​

Kubernetes runtime requirements​

Pod Security​

Network Policies​

Configure default service account​

API Server audit configuration​

Known issues​

Control 1.1.12​

Control 5.1.5​

Conclusion​