You can enable Center for Internet Security (CIS) reinforcement to enhance the security of the operating systems of nodes in a Container Service for Kubernetes (ACK) cluster. This topic describes how ACK implements CIS reinforcement based on the Alibaba Cloud Linux 2 operating system and how to assess CIS Benchmark configuration recommendations.
CIS is a third-party security organization that is committed to leading a global community of enterprises, public service sectors, and academia to develop security best practice solutions. CIS provides CIS Benchmarks for the Linux-based operating systems released by major companies, such as Alibaba Cloud Linux 2, CentOS, and Ubuntu. CIS Benchmarks have become a critical criterion for assessing OS security for many Alibaba Cloud customers. For more information, see CIS WorkBench.
Alibaba Cloud Linux 2 is the official OS image developed by Alibaba Cloud and the default OS image used in ACK clusters. Alibaba Cloud Linux 2 passed the certification procedure of CIS on August 16, 2019. CIS then released CIS Aliyun Linux 2 Benchmark version 1.0.0. For more information, see CIS Aliyun Linux 2 Benchmark version 1.0.0.
CIS Aliyun Linux 2 Benchmark
- Level 1 items are used to implement basic improvements. These items do not have a large impact on system performance.
- Level 2 items are suitable for scenarios that require high security. These items may increase performance overhead.
- Scored: Compliance with Scored items increases the final benchmark score. Failure to comply with Scored items decreases the final benchmark score.
- Not Scored: Compliance with Not Scored items does not increase the final benchmark score. Failure to comply with Not Scored items does not decrease the final benchmark score.
- Level 1 Scored (145 items)
- Level 1 Not Scored (21 items)
- Level 2 Scored (33 items)
- Level 2 Not Scored (3 items)
Level 2 items may negatively impact system performance and Not Scored items do not affect the final benchmark score. Therefore, ACK provides reinforcement for only Level 1 Scored items.
Enable CIS reinforcement
CIS Level 1 Scored items that are covered by CIS reinforcement
|Item||Reason why the item is not covered by CIS reinforcement|
|1.1.2 Ensure /tmp is configured (Scored)||Involves partition modifications.|
|1.1.18 Ensure sticky bit is set on all world-writable directories (Scored)||Affects the control logic of ACK.|
|220.127.116.11 Ensure message of the day is configured properly (Scored)||Requires the deletion of the link to the user guide in the Message of the Day (MOTD) of Alibaba Cloud Linux 2 operating system.|
|3.1.1 Ensure IP forwarding is disabled (Scored)||Affects the networking component of ACK.|
|18.104.22.168 Ensure default deny firewall policy (Scored)||Requires the configuration of firewall policies.|
|22.214.171.124 Ensure loopback traffic is configured (Scored)||Requires the configuration of loopback rules.|
|126.96.36.199 Ensure firewall rules exist for all open ports (Scored)||Requires the configuration of firewall rules for open ports.|
|188.8.131.52 Ensure IPv6 default deny firewall policy (Scored)||Requires the configuration of IPv6 firewall policies.|
|184.108.40.206 Ensure IPv6 loopback traffic is configured (Scored)||Requires the configuration of IPv6 loopback rules.|
|220.127.116.11 Ensure rsyslog is configured to send logs to a remote log host (Scored)||Requires the configuration of rsyslog to send log data to a remote log host.|
|4.2.3 Ensure permissions on all logfiles are configured (Scored)||Requires the modification of a large number of files, which results in potential security risks.|
|5.2.10 Ensure SSH root login is disabled (Scored)||Requires the creation of other accounts for authentication or the use of non-SSH connections, such as Virtual Network Computing (VNC) connections.|
|5.2.18 Ensure SSH access is limited (Scored)||Requires the configuration of users and groups that are allowed to access the system by using SSH.|
|5.2.3 Ensure permissions on SSH private host key files are configured (Scored)||The GID of
|5.3.2 Ensure lockout for failed password attempts is configured (Scored)||The Benchmark configuration recommendations are quite different from the configuration file of the Alibaba Cloud Linux 2 system. We recommend that you proceed with caution.|
|6.1.11 Ensure no unowned files or directories exist (Scored)||Affects the control logic of ACK.|
|6.1.12 Ensure no ungrouped files or directories exist (Scored)||Affects the control logic of ACK.|
|Profile Applicability||Whether the item belongs to Level 1 or Level 2.|
|Description||The brief introduction of the item.|
|Rationale||The details and background information about the item. This helps you understand the reason for the recommended reinforcement.|
|Audit||The command script that is used to check whether the system meets the criteria. You can determine whether reinforcement is required based on the return value of the script.|
|Remediation||If the script in the Audit section indicates that reinforcement is required, you can run this script to reinforce the system.|
|Impact||Possible impacts if the system is not properly configured.|
|CIS Controls||The description of the CIS control that corresponds to the item. To download CIS Controls, you must create an account.|
Download CIS Aliyun Linux 2 Benchmark version 1.0.0
- Log on to the CIS Benchmark homepage.
- Select Operating Systems and Linux.
- Find Aliyun Linux and click Download CIS Benchmark.
- On the download page that appears, enter your basic information and click Get Free Benchmarks Now.
- Wait a few minutes. Check your email inbox and find the email from CIS. Click Access PDFs in the email.
- On the download page, find CIS Aliyun Linux 2 Benchmark v1.0.0 and click Download PDF.
Use CIS-CAT to evaluate the compliance of an ACK cluster with the CIS Benchmark
To evaluate the compliance of an ACK cluster with the CIS Benchmark, you can use CIS-Configuration Assessment Tool (CAT) to scan the cluster. CIS-CAT is a configuration assessment tool that scans the configuration of a system to provide a detailed evaluation report. You can run this tool on a system to obtain a benchmark score against a specified CIS Benchmark profile. The tool also provides remediation steps for noncompliant configurations. For more information, see CIS-CAT.
CIS-CAT has two editions: Lite and Pro. CIS-CAT Lite provides limited features and supports only the following systems: Windows 10, Ubuntu 18.04, and Google Chrome. CIS-CAT Lite does not support Alibaba Cloud Linux 2 and therefore cannot be used to scan ACK clusters for compliance evaluation.
CIS-CAT Pro has two versions: v4 and v3. The following section shows how to use CIS-CAT Pro v4 to scan an ACK cluster to evaluate the compliance of the cluster with the CIS Benchmark.
- Go to CIS SecureSuite and register a CIS SecureSuite membership. Then, download the CIS-CAT Pro installation
package named Assessor-CLI-v4.0.23.zip.
- Log on to a cluster node that runs Alibaba Cloud Linux 2.
- Run the following commands in sequence to install a Java environment that is required
yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel
cat > /etc/profile.d/java8.sh <<EOF export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac))))) export PATH=$PATH:$JAVA_HOME/bin export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar EOF
- Run the following commands in sequence to use CIS-CAT Pro to scan the node:
chmod +x ./Assessor-CLI.sh
./Assessor-CLI.sh -b ./benchmarks/CIS_Aliyun_Linux_2_Benchmark_v1.0.0-xccdf.xml -p "Level 1" -htmlNote
-b: specifies the benchmark based on which the node is scanned. The parameter value includes the operating system and benchmark version.
-p: specifies the level of items that are scanned. In this example, Level 1 is specified because only CIS Level 1 Scored items need to be scanned.
- Check the scan result. The following table describes the parameters in the scan result. For more information, see CIS-CAT Pro Assessor v4 Report.
Parameter Description Total # of Results The total number of items that are provided by the specified benchmark. CIS Aliyun Linux 2 Benchmark v1.0.0 contains 204 items. Total Scored Results The total number of Scored items that belong to the specified level. Level 1 contains 145 items. Total Pass The total number of Scored items that belong to the specified level and passed the check. ACK provides CIS reinforcement for 128 Level 1 Scored items. Total Fail The total number of Scored items that belong to the specified level and failed the check. ACK does not provide CIS reinforcement for 17 Level 1 Scored items. Total Error The total number of Scored items that belong to the specified level and caused errors during script execution. In this example, no error occurred and therefore the result is 0. Total Unknown The total number of Scored items that belong to the specified level and where CIS-CAT was unable to determine if the criteria were met. In this example, the result is 0. Total Not Applicable The total number of items of the specified benchmark that are not applicable to the operating system. When you use CIS-CAT Pro to scan a node that runs Alibaba Cloud Linux 2 against CIS Aliyun Linux 2 Benchmark v1.0.0, all items apply. Total Not Checked These items are Not Scored. The items that belong to the Total Informational category are also Not Scored. Total Not Selected The total number of items of the specified benchmark that are not checked. In this example, CIS-CAT Pro checks only Level 1 items. Therefore, the 36 Level 2 items are not checked. Total Informational The total number of items that require manual evaluation. These items are Not Scored in the specified level.