>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

V-242434Kubernetes Kubelet must enable kernel protection.

CAT I - High
CNTR-K8-001620

>Control Description

System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.

>Check Content

On the Control Plane,

$ps -ef | grep kubelet

If the "--protect-kernel-defaults" option exists, this is a finding. Note the path to the config file (identified by --config).

$grep -i protectKernelDefaults <path_to_config_file>

If the setting "protectKernelDefaults" is not set or is set to false, this is a finding.

>Remediation

On the Control Plane,

$ps -ef | grep kubelet

Remove the "--protect-kernel-defaults" option if present. Note the path to the Kubernetes Kubelet config file (identified by --config). Edit the Kubernetes Kubelet config file: Set "protectKernelDefaults" to "true". Restart the kubelet service

$systemctl daemon-reload && systemctl restart kubelet

>CCI References

CCI-001084

Control Correlation Identifiers (CCIs) map STIG findings to NIST 800-53 controls.

>Cross-Framework Mappings

NIST SP 800-53 r5

via DISA CCI List
SC-3
Compare

Ask AI

Configure your API key to use AI features.