You can enable Center for Internet Security (CIS) reinforcement to enhance the security of the operating systems of nodes in a Container Service for Kubernetes (ACK) cluster. This topic describes how ACK implements CIS reinforcement based on the Alibaba Cloud Linux 2 operating system and how to assess CIS Benchmark configuration recommendations.
Background information
CIS is a third-party security organization that is committed to leading a global community of enterprises, public service sectors, and academia to develop security best practice solutions. CIS provides CIS Benchmarks for the Linux-based operating systems released by major companies, such as Alibaba Cloud Linux 2, CentOS, and Ubuntu. CIS Benchmarks have become a critical criterion for assessing OS security for many Alibaba Cloud customers. For more information, see CIS WorkBench.
Alibaba Cloud Linux 2 is the official OS image developed by Alibaba Cloud and the default OS image used in ACK clusters. Alibaba Cloud Linux 2 passed the certification procedure of CIS on August 16, 2019. CIS then released CIS Aliyun Linux 2 Benchmark version 1.0.0. For more information, see CIS Aliyun Linux 2 Benchmark version 1.0.0.
CIS Aliyun Linux 2 Benchmark
- Level 1 items are used to implement basic improvements. These items do not have a large impact on system performance.
- Level 2 items are suitable for scenarios that require high security. These items may increase performance overhead.
- Scored: Compliance with Scored items increases the final benchmark score. Failure to comply with Scored items decreases the final benchmark score.
- Not Scored: Compliance with Not Scored items does not increase the final benchmark score. Failure to comply with Not Scored items does not decrease the final benchmark score.
- Level 1 Scored (145 items)
- Level 1 Not Scored (23 items)
- Level 2 Scored (33 items)
- Level 2 Not Scored (3 items)
Level 2 items may negatively impact system performance and Not Scored items do not affect the final benchmark score. Therefore, ACK provides reinforcement for only Level 1 Scored items.
Enable CIS reinforcement
CIS Level 1 Scored items that are covered by CIS reinforcement
Item | Reason why the item is not covered by CIS reinforcement |
---|---|
1.1.2 Ensure /tmp is configured (Scored) | Involves partition modifications. |
1.1.18 Ensure sticky bit is set on all world-writable directories (Scored) | Affects the control logic of ACK. |
1.7.1.1 Ensure message of the day is configured properly (Scored) | Requires the deletion of the link to the user guide in the Message of the Day (MOTD) of Alibaba Cloud Linux 2 operating system. |
3.1.1 Ensure IP forwarding is disabled (Scored) | Affects the networking component of ACK. |
3.5.1.1 Ensure default deny firewall policy (Scored) | Requires the configuration of firewall policies. |
3.5.1.2 Ensure loopback traffic is configured (Scored) | Requires the configuration of loopback rules. |
3.5.1.4 Ensure firewall rules exist for all open ports (Scored) | Requires the configuration of firewall rules for open ports. |
3.5.2.1 Ensure IPv6 default deny firewall policy (Scored) | Requires the configuration of IPv6 firewall policies. |
3.5.2.2 Ensure IPv6 loopback traffic is configured (Scored) | Requires the configuration of IPv6 loopback rules. |
4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored) | Requires the configuration of rsyslog to send log data to a remote log host. |
4.2.3 Ensure permissions on all logfiles are configured (Scored) | Requires the modification of a large number of files, which results in potential security risks. |
5.2.10 Ensure SSH root login is disabled (Scored) | Requires the creation of other accounts for authentication or the use of non-SSH connections, such as Virtual Network Computing (VNC) connections. |
5.2.18 Ensure SSH access is limited (Scored) | Requires the configuration of users and groups that are allowed to access the system by using SSH. |
5.2.3 Ensure permissions on SSH private host key files are configured (Scored) | The GID of ssh_keys is hard-coded to 998 in the scan script. However, the GID may not be 998 in the system.
The GID may be 996.
|
5.3.2 Ensure lockout for failed password attempts is configured (Scored) | The Benchmark configuration recommendations are quite different from the configuration file of the Alibaba Cloud Linux 2 system. We recommend that you proceed with caution. |
6.1.11 Ensure no unowned files or directories exist (Scored) | Affects the control logic of ACK. |
6.1.12 Ensure no ungrouped files or directories exist (Scored) | Affects the control logic of ACK. |
Section | Description |
---|---|
Profile Applicability | Whether the item belongs to Level 1 or Level 2. |
Description | The brief introduction of the item. |
Rationale | The details and background information about the item. This helps you understand the reason for the recommended reinforcement. |
Audit | The command script that is used to check whether the system meets the criteria. You can determine whether reinforcement is required based on the return value of the script. |
Remediation | If the script in the Audit section indicates that reinforcement is required, you can run this script to reinforce the system. |
Impact | Possible impacts if the system is not properly configured. |
References | References. |
CIS Controls | The description of the CIS control that corresponds to the item. To download CIS Controls, you must create an account. |
Download CIS Aliyun Linux 2 Benchmark version 1.0.0
Use CIS-CAT to evaluate the compliance of an ACK cluster with the CIS Benchmark
To evaluate the compliance of an ACK cluster with the CIS Benchmark, you can use CIS-Configuration Assessment Tool (CAT) to scan the cluster. CIS-CAT is a configuration assessment tool that scans the configuration of a system to provide a detailed evaluation report. You can run this tool on a system to obtain a benchmark score against a specified CIS Benchmark profile. The tool also provides remediation steps for noncompliant configurations. For more information, see CIS-CAT.
CIS-CAT has two editions: Lite and Pro. CIS-CAT Lite provides limited features and supports only the following systems: Windows 10, Ubuntu 18.04, and Google Chrome. CIS-CAT Lite does not support Alibaba Cloud Linux 2 and therefore cannot be used to scan ACK clusters for compliance evaluation.
CIS-CAT Pro has two versions: v4 and v3. The following section shows how to use CIS-CAT Pro v4 to scan an ACK cluster to evaluate the compliance of the cluster with the CIS Benchmark.