CIS Results and Exceptions
This topic shows default-level CIS (v1.6.1) scan results for Tanzu Kubernetes Grid (TKG) class-based workload clusters deployed by a standalone management cluster, and describes exception handling that can improve the scan results.
For standard processes to further harden TKG workload clusters, see STIG and NSA/CISA Hardening.
For CIS results and exceptions for plan-based (legacy) workload clusters, see Hardening Results in the TKG v2.2 documentation.
Hardening Class-Based Workload Clusters
CIS scan results for class-based workload clusters deployed without the additional Kubernetes or OS hardening described in Hardening Class-Based Workload Clusters.
Default Photon OS 5 CIS Exceptions
Photon OS 5 Scan Results:
CIS Exceptions documentation and compensating controls for Photon OS 5 in class-based TKG clusters:
| CIS ID | Description | Reason | Workaround |
|---|---|---|---|
| C-1.1.1.8 | Ensure mounting of FAT filesystems is limited | vfat is required for UEFI | Run rmmod vfat |
| C-1.1.10 | Ensure noexec option set on /var/tmp partition | /var/tmp is not mounted | |
| C-1.1.11 | Ensure separate partition exists for /var/log | Audit files are offloaded to external log sink. | max_log_file_action is set to rotate. |
| C-1.1.12 | Ensure separate partition exists for /var/log/audit | Log are offloaded to external log sink. | logrotate is configured to prevent the disk space filling up. |
| C-1.1.13 | Ensure separate partition exists for /home | System is not intended to support local users | Not applicable |
| C-1.1.14 | Ensure nodev option set on /home partition | /home is not mounted | |
| C-1.1.6 | Ensure separate partition exists for /var | Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools. | |
| C-1.1.7 | Ensure separate partition exists for /var/tmp | /var/tmp is not mounted | |
| C-1.1.8 | Ensure nodev option set on /var/tmp partition | /var/tmp is not mounted | |
| C-1.1.9 | Ensure nosuid option set on /var/tmp partition | /var/tmp is not mounted | |
| C-1.4.2 | Ensure bootloader password is set | Setting the boot loader password will require system boot password. | Not recommended |
| C-1.4.4 | Ensure interactive boot is not enabled | Interactive boot is not supported | |
| C-1.6.2.2 | Ensure the SELinux state is enforcing | Site specific control | Not applicable |
| C-1.6.2.3 | Ensure SELinux policy is configured | Site specific control | Not applicable |
| C-1.6.3.1 | Ensure AppArmor is not disabled in bootloader configuration | SELinux is used for MAC | Not applicable |
| C-1.6.3.2 | Ensure all AppArmor Profiles are enforcing | SELinux is used for MAC | Not applicable |
| C-1.8 | Ensure updates, patches, and additional security software are installed | CAPI VMs are immutables | Not applicable |
| C-1.7.1.4 | Ensure permissions on /etc/motd are configured | File does not exist | Not applicable |
| C-1.7.2 | Ensure GDM login banner is configured | GDM is not installed on Cluster API VMs | Not applicable |
| C-2.2.1.2 | Ensure ntp is configured | Chrony is being installed as an alternative. | Chrony is enabled as compensating control |
| C-2.2.1.4 | Ensure systemd-timesyncd is configured | Chrony is used instead | Not applicable |
| C-3.1.1 | Ensure IP forwarding is disabled | IP Forwarding is required by Antrea and Kube-proxy | Not applicable |
| C-3.3.3 | Ensure /etc/hosts.deny is configured | Site specific control | Not applicable |
| C-3.5.1.1 | Ensure IPv6 default deny firewall policy | Required when IPv4 DENY iptables rules exists | Not applicable |
| C-3.5.2.1 | Ensure default deny firewall policy | Required when IPv4 DENY iptables rules exists | Not applicable |
| C-3.7 | Disable IPv6 | Cluster API VMs are dual stack and use IPV6 | Not applicable |
| C-4.1.1.2 | Ensure system is disabled when audit logs are full | Audit files are offloaded to external log sink. TKG favours availability to halting. | |
| C-4.2.1.5 | Ensure rsyslog is configured to send logs to a remote log host | Real-time logs offload is provided by the fluentbit package. | Install and configure fluentbit package |
| C-4.2.2.3 | Ensure journald is configured to write logfiles to persistent disk | Real-time logs offload is provided by the fluentbit package. | Install and configure fluentbit package |
| C-5.2.18 | Ensure SSH access is limited | Site specific control | Not applicable |
Default Ubuntu 22.04 CIS Exceptions
Ubuntu OS 22.04 Scan Results:
CIS Exceptions for Ubuntu OS 22.04 in class-based TKG clusters without additional Kubernetes or OS hardening:
| ID | Description | Reason | Workaround |
|---|---|---|---|
| C-1.1.3.1 | Ensure separate partition exists for /var | Partition /var not mounted separated, only one root partition is created. | Need to recreate the node and replace preseed of Ubuntu in image-builder |
| C-1.1.7.1 | Ensure separate partition exists for /home | Partition /home not mounted separated, only one root partition is created. | Need to recreate the node and replace preseed of Ubuntu in image-builder |
| C-1.4.3 | Ensure authentication required for single user mode | ClusterAPI VM does not set the password for root, customers must login via SSH with capv and sudo instead. | Not applicable |
| C-3.2.2 | Ensure IP forwarding is disabled | IP Forwarding is required by Antrea and Kube-proxy | Not Applicable |
| C-3.5.1.1 | Ensure ufw is installed | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.1 | Ensure nftables is installed | Nftables is not install by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.3.2.1 | Ensure iptables default deny firewall policy | Required when IPv4 DENY iptables rules exists | Not applicable |
| C-3.5.3.3.1 | Ensure ip6tables default deny firewall policy | Required when IPv6 DENY iptables rules exists | Not applicable |
| C-4.1.3.6 | Ensure use of privileged commands are collected | Vlock-main is not part of the default installation | Not applicable |
| C-4.1.4.11 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools | AIDE is not installed by default | See C-1.3.1 |
| C-4.1.4.2 | Ensure only authorized users own audit log files | Syslog owns cloud-init.log | |
| C-4.2.2.6 | Ensure rsyslog is configured to send logs to a remote log host | Rsyslog is being applied | Check /etc/rsyslog.d/50-default.conf |
| C-5.2.22 | Ensure SSH Idle Timeout Interval is configured | Idle timeout interval is 600 seconds | Change SSHD ClientAliveInterval parameter to 300. |
| C-5.3.4 | Ensure users must provide password for privilege escalation | System user accounts does not have password set. | Not applicable. |
| C-5.4.2 | Ensure lockout for failed password attempts is configured | System user accounts does not have password set. | Not applicable. |
| C-5.5.1.4 | Ensure inactive password lock is 30 days or less | System user accounts does not have password set. | Not applicable. |
Default Ubuntu 20.04 CIS Exceptions
Ubuntu OS 20.04 Scan Results:
CIS Exceptions for Ubuntu OS 20.04 in class-based TKG clusters without additional Kubernetes or OS hardening:
| CIS ID | CIS Description | Reason | Workaround |
|---|---|---|---|
| C-1.1.17 | Ensure separate partition exists for /home | Partition /home not mounted separated, only one root partition is created. | Need to recreate the node and replace preseed of Ubuntu in image-builder |
| C-1.1.18 | Ensure /home partition includes the nodev option | Partition /home not mounted separated, only one root partition is created. | Need to recreate the node and replace preseed of Ubuntu in image-builder |
| C-1.4.4 | Ensure authentication required for single user mode | ClusterAPI VM does not set the password for root, customers must login via SSH with capv and sudo instead. | Not applicable |
| C-1.9 | Ensure updates, patches, and additional security software are | This requires a regular creation of the image, whereas in TKG, images are immutable and may live a long time. | Not Applicable |
| C-2.3 | Ensure nonessential services are removed or masked | Manual testing must be executed and analyzed. | Users must check with lsof -i -P -n | grep -v “(ESTABLISHED)” |
| C-3.2.2 | Ensure IP forwarding is disabled | IP Forwarding is required by Antrea and Kube-proxy | Not Applicable |
| C-3.5.1.1 | Ensure ufw is installed | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.1.2 | Ensure iptables-persistent is not installed with ufw | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.1.3 | Ensure ufw service is enabled | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.1.4 | Ensure ufw loopback traffic is configured | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.1.5 | Ensure ufw outbound connections are configured | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.1.6 | Ensure ufw firewall rules exist for all open ports | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.1.7 | Ensure ufw default deny firewall policy | Universal Firewall is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.1 | Ensure nftables is installed | Nftables is not install by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.10 | Ensure nftables rules are permanent | Nftables is not install by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.2 | Ensure ufw is uninstalled or disabled with nftables | Universal Firewall and nftables are not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.3 | Ensure iptables are flushed with nftables | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.4 | Ensure a nftables table exists | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.5 | Ensure nftables base chains exist | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.6 | Ensure nftables loopback traffic is configured | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.7 | Ensure nftables outbound and established connections are configured | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.8 | Ensure nftables default deny firewall policy | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.2.9 | Ensure nftables service is enabled | Nftables is not installed by default | Iptables is the being used instead and controls related to it are the compensating controls |
| C-3.5.3.2.2 | Ensure iptables outbound and established connections are configured | Required when IPv4 DENY iptables rules exists | Not applicable |
| C-3.5.3.2.4 | Ensure iptables firewall rules exist for all open ports | Required when IPv4 DENY iptables rules exists | Not applicable |
| C-3.5.3.3.2 | Ensure ip6tables outbound and established connections are configured | Required when IPv6 DENY iptables rules exists | Not applicable |
| C-3.5.3.3.4 | Ensure ip6tables firewall rules exist for all open ports | Required when IPv6 DENY iptables rules exists | Not applicable |
| C-4.2.1.3 | Ensure logging is configured (Manual check) | Rsyslog is being applied | Check /etc/rsyslog.d/50-default.conf |
| C-4.2.1.5 | Ensure rsyslog is configured to send logs to a remote log host | Real-time logs offload is provided by the fluentbit package. | Install and configure fluentbit package |
| C-4.3 | Ensure logrotate is configured (Manual check) | Logrotate is enabled | Check /etc/logrotate.d/rsyslog |
| C-6.1.1 | Audit system file permissions (Manual) | This is a continuous check where customers can use dpkg to check for files integrity in the system | Use dpkg –verify <package_name> |
CIS Exceptions with BYOI OS Hardening
CIS exceptions for Ubuntu OS 2x.04 in class-based TKG clusters with custom hardened VM images created by running Image Builder with the ansible_user_vars settings for CIS hardening described in Build a Linux Image:
| CIS ID | CIS Description | Reason | Workaround |
|---|---|---|---|
| C-1.3.1 | Ensure AIDE is installed | AIDE is not installed or enabled by default | Must recreate the node with install_aide=true enabled. |
| C-1.3.2 | Ensure filesystem integrity is regularly checked | AIDE is not installed or enabled by default | Must recreate the node with install_aide=true enabled |
| C-2.1.1.2 | Ensure systemd-timesyncd is configured | Chrony is being used by default | To use timesyncd recreate the node with install_chrony=false and install_systemd_timesyncd=true. |
| C-2.1.1.4 | Ensure ntp is configured | Chrony is being installed as an alternative. | Chrony is enabled as compensating control |
CIS Exceptions with Kubernetes Hardening
Kubernetes Scan Results:
Control plane nodes:
Worker nodes:
CIS exceptions for Kubernetes in class-based TKG clusters with Kubernetes hardened using the configuration file variable settings listed in CIS Hardening:
| CIS ID | CIS Description | Reason | Workaround |
|---|---|---|---|
| C-1.2.6 | Ensure that the –kubelet-certificate-authority argument is set as appropriate | Customer must provide a custom CA. | This can be resolved by setting APISERVER_EXTRA_ARGS. |
| C-1.2.12 | Ensure that the admission control plugin AlwaysPullImages is set | This can be resolved by setting SECURITY_IMAGE_POLICY_PULL_ALWAYS or APISERVER_EXTRA_ARGS. Follow the Admission Controller instructions. | |
| C-1.2.27 | Ensure that the –service-account-lookup argument is set to true | This can be resolved by setting APISERVER_EXTRA_ARGS. | |
| C-1.2.33 | Ensure that the –encryption-provider-config argument is set as appropriate | Customer must enable encryption at rest. | This can be resolved by setting APISERVER_EXTRA_ARGS. Follow the Encryption as rest instructions. |
| C-1.3.1 | Ensure that the –terminated-pod-gc-threshold argument is set as appropriate | This can be resolved by setting KUBE_CONTROLLER_MANAGER_EXTRA_ARGS. | |
| C-1.3.6 | Ensure that the RotateKubeletServerCertificate argument is set to true. | This can be resolved by setting KUBE_CONTROLLER_MANAGER_EXTRA_ARGS. | |
| C-4.2.3 | Ensure that the –client-ca-file argument is set as appropriate | This can be resolved by setting WORKER_KUBELET_EXTRA_ARGS. | |
| C-4.2.6 | Ensure that the –protect-kernel-defaults argument is set to true | This can be resolved by setting WORKER_KUBELET_EXTRA_ARGS. | |
| C-4.2.10 | Same as CNTR-K8-001470 in STIG Results and Exceptions |
