CNTR-K8-000900 – The Kubernetes manifests must have least privileges.

Details

The manifest files contain the runtime configuration of the API server, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemented.

Satisfies: SRG-APP-000133-CTR-000310, SRG-APP-000133-CTR-000295

Solution

On the Master node, change to the /etc/kubernetes/manifest directory. Run the command:

chmod 644 *

To verify the change took place, run the command:

ls -l *

All the manifest files should now have privileges of ‘644’.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R4_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

800-53|CM-5(6)
CAT|II
CCI|CCI-001499
CSCv6|3.1
Rule-ID|SV-242408r712580_rule
STIG-ID|CNTR-K8-000900
Vuln-ID|V-242408

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles