STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

DISA Rule

SV-242412r712592_rule

Vulnerability Number

V-242412

Group Title

SRG-APP-000142-CTR-000330

Rule Version

CNTR-K8-000940

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Amend any system documentation requiring revision. Update Kubernetes Controller manifest and namespace PPS configuration to comply with PPSM CAL.

Check Contents

Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master Node. Run the command:
grep kube-scheduler.manifest -I -insecure-port
grep kube-scheduler.manifest -I -secure-port
-edit manifest file:
VIM <Manifest Name:
Review livenessProbe:
HttpGet:
Port:
Review ports:
- containerPort:
hostPort:
- containerPort:
hostPort:
Run Command:
kubectl describe services –all-namespace
Search labels for any controller names spaces.
Port:

Any manifest and namespace PPS or services configuration not in compliance with PPSM CAL is a finding.

Review the information systems documentation and interview the team, gain an understanding of the Controller architecture, and determine applicable PPS. Any PPS in the system documentation not in compliance with the CAL PPSM is a finding. Any PPS not set in the system documentation is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Verify Controller network boundary with the PPS associated with the Controller for Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.

Vulnerability Number

V-242412

Documentable

False

Rule Version

CNTR-K8-000940

Severity Override Guidance

Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master Node. Run the command:
grep kube-scheduler.manifest -I -insecure-port
grep kube-scheduler.manifest -I -secure-port
-edit manifest file:
VIM <Manifest Name:
Review livenessProbe:
HttpGet:
Port:
Review ports:
- containerPort:
hostPort:
- containerPort:
hostPort:
Run Command:
kubectl describe services –all-namespace
Search labels for any controller names spaces.
Port:

Any manifest and namespace PPS or services configuration not in compliance with PPSM CAL is a finding.

Review the information systems documentation and interview the team, gain an understanding of the Controller architecture, and determine applicable PPS. Any PPS in the system documentation not in compliance with the CAL PPSM is a finding. Any PPS not set in the system documentation is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Verify Controller network boundary with the PPS associated with the Controller for Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements is a finding.

Check Content Reference

M

Target Key

5376

Comments