STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

Kubernetes Worker Nodes must not have the sshd service enabled.

DISA Rule

SV-242394r717017_rule

Vulnerability Number

V-242394

Group Title

SRG-APP-000033-CTR-000095

Rule Version

CNTR-K8-000410

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

To disable the sshd service, run the command:

chkconfig sshd off

Note: If access to the worker node is through an SSH session, it is important to realize there are two requirements for disabling and stopping the sshd service that must be done during the same SSH session. Disabling the service must be performed first and then the service stopped to guarantee both settings can be made if the session is interrupted.

Check Contents

Log in to each worker node. Verify that the sshd service is not enabled. To validate the service is not enabled, run the command:

systemctl is-enabled sshd.service

If the service sshd is enabled, this is a finding.

Note: If console access is not available, SSH access can be attempted. If the worker nodes cannot be reached, this requirement is "not a finding".

Vulnerability Number

V-242394

Documentable

False

Rule Version

CNTR-K8-000410

Severity Override Guidance

Log in to each worker node. Verify that the sshd service is not enabled. To validate the service is not enabled, run the command:

systemctl is-enabled sshd.service

If the service sshd is enabled, this is a finding.

Note: If console access is not available, SSH access can be attempted. If the worker nodes cannot be reached, this requirement is "not a finding".

Check Content Reference

M

Target Key

5376

Comments