Azure Kubernetes Service (AKS) Ubuntu image alignment with Center for Internet Security (CIS) benchmark
As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. This article covers the security OS configuration applied to Ubuntu image used by AKS. This security configuration is based on the Azure Linux security baseline, which aligns with CIS benchmark. For more information about AKS security, see Security concepts for applications and clusters in Azure Kubernetes Service (AKS). For more information about AKS security, see Security concepts for applications and clusters in Azure Kubernetes Service (AKS). For more information on the CIS benchmark, see Center for Internet Security (CIS) Benchmarks. For more information on the Azure security baselines for Linux, see Linux security baseline.
Ubuntu LTS 18.04
AKS clusters are deployed on host virtual machines, which run an operating system with built-in secure configurations. This operating system is used for containers running on AKS. This host operating system is based on an Ubuntu 18.04.LTS image with security configurations applied.
As a part of the security-optimized operating system:
- AKS provides a security-optimized host OS by default, but no option to select an alternate operating system.
- The security-optimized host OS is built and maintained specifically for AKS and is not supported outside of the AKS platform.
- Some unnecessary kernel module drivers have been disabled in the OS to reduce the attack surface area.
Note
Unrelated to the CIS benchmarks, Azure applies daily patches, including security patches, to AKS virtual machine hosts.
The goal of the secure configuration built into the host OS is to reduce the surface area of attack and optimize for the deployment of containers in a secure manner.
The following are the results from the CIS Ubuntu 18.04 LTS Benchmark v2.1.0 recommendations.
Recommendations can have one of the following reasons:
- Potential Operation Impact - Recommendation wasn't applied because it would have a negative effect on the service.
- Covered Elsewhere - Recommendation is covered by another control in Azure cloud compute.
The following are CIS rules implemented:
| CIS paragraph number | Recommendation description | Status | Reason |
|---|---|---|---|
| 1 | Initial Setup | ||
| 1.1 | Filesystem Configuration | ||
| 1.1.1 | Disable unused filesystems | ||
| 1.1.1.1 | Ensure mounting of cramfs filesystems is disabled | Pass | |
| 1.1.1.2 | Ensure mounting of freevxfs filesystems is disabled | Pass | |
| 1.1.1.3 | Ensure mounting of jffs2 filesystems is disabled | Pass | |
| 1.1.1.4 | Ensure mounting of hfs filesystems is disabled | Pass | |
| 1.1.1.5 | Ensure mounting of hfsplus filesystems is disabled | Pass | |
| 1.1.1.6 | Ensure mounting of udf filesystems is disabled | Fail | Potential Operational Impact |
| 1.1.2 | Ensure /tmp is configured | Fail | |
| 1.1.3 | Ensure nodev option set on /tmp partition | Fail | |
| 1.1.4 | Ensure nosuid option set on /tmp partition | Pass | |
| 1.1.5 | Ensure noexec option set on /tmp partition | Pass | |
| 1.1.6 | Ensure /dev/shm is configured | Pass | |
| 1.1.7 | Ensure nodev option set on /dev/shm partition | Pass | |
| 1.1.8 | Ensure nosuid option set on /dev/shm partition | Pass | |
| 1.1.9 | Ensure noexec option set on /dev/shm partition | Fail | Potential Operational Impact |
| 1.1.12 | Ensure /var/tmp partition includes the nodev option | Pass | |
| 1.1.13 | Ensure /var/tmp partition includes the nosuid option | Pass | |
| 1.1.14 | Ensure /var/tmp partition includes the noexec option | Pass | |
| 1.1.18 | Ensure /home partition includes the nodev option | Pass | |
| 1.1.19 | Ensure nodev option set on removable media partitions | Not Applicable | |
| 1.1.20 | Ensure nosuid option set on removable media partitions | Not Applicable | |
| 1.1.21 | Ensure noexec option set on removable media partitions | Not Applicable | |
| 1.1.22 | Ensure sticky bit is set on all world-writable directories | Fail | Potential Operation Impact |
| 1.1.23 | Disable Automounting | Pass | |
| 1.1.24 | Disable USB Storage | Pass | |
| 1.2 | Configure Software Updates | ||
| 1.2.1 | Ensure package manager repositories are configured | Pass | Covered Elsewhere |
| 1.2.2 | Ensure GPG keys are configured | Not Applicable | |
| 1.3 | Filesystem Integrity Checking | ||
| 1.3.1 | Ensure AIDE is installed | Fail | Covered Elsewhere |
| 1.3.2 | Ensure filesystem integrity is regularly checked | Fail | Covered Elsewhere |
| 1.4 | Secure Boot Settings | ||
| 1.4.1 | Ensure permissions on bootloader config aren't overridden | Fail | |
| 1.4.2 | Ensure bootloader password is set | Fail | Not Applicable |
| 1.4.3 | Ensure permissions on bootloader config are configured | Fail | |
| 1.4.4 | Ensure authentication required for single user mode | Fail | Not Applicable |
| 1.5 | Additional Process Hardening | ||
| 1.5.1 | Ensure XD/NX support is enabled | Not Applicable | |
| 1.5.2 | Ensure address space layout randomization (ASLR) is enabled | Pass | |
| 1.5.3 | Ensure prelink is disabled | Pass | |
| 1.5.4 | Ensure core dumps are restricted | Pass | |
| 1.6 | Mandatory Access Control | ||
| 1.6.1 | Configure AppArmor | ||
| 1.6.1.1 | Ensure AppArmor is installed | Pass | |
| 1.6.1.2 | Ensure AppArmor is enabled in the bootloader configuration | Fail | Potential Operation Impact |
| 1.6.1.3 | Ensure all AppArmor Profiles are in enforce or complain mode | Pass | |
| 1.7 | Command Line Warning Banners | ||
| 1.7.1 | Ensure message of the day is configured properly | Pass | |
| 1.7.2 | Ensure permissions on /etc/issue.net are configured | Pass | |
| 1.7.3 | Ensure permissions on /etc/issue are configured | Pass | |
| 1.7.4 | Ensure permissions on /etc/motd are configured | Pass | |
| 1.7.5 | Ensure remote login warning banner is configured properly | Pass | |
| 1.7.6 | Ensure local login warning banner is configured properly | Pass | |
| 1.8 | GNOME Display Manager | ||
| 1.8.2 | Ensure GDM login banner is configured | Pass | |
| 1.8.3 | Ensure disable-user-list is enabled | Pass | |
| 1.8.4 | Ensure XDCMP isn't enabled | Pass | |
| 1.9 | Ensure updates, patches, and additional security software are installed | Pass | |
| 2 | Services | ||
| 2.1 | Special Purpose Services | ||
| 2.1.1 | Time Synchronization | ||
| 2.1.1.1 | Ensure time synchronization is in use | Pass | |
| 2.1.1.2 | Ensure systemd-timesyncd is configured | Not Applicable | AKS uses ntpd for timesync |
| 2.1.1.3 | Ensure chrony is configured | Fail | Covered Elsewhere |
| 2.1.1.4 | Ensure ntp is configured | Pass | |
| 2.1.2 | Ensure X Window System isn't installed | Pass | |
| 2.1.3 | Ensure Avahi Server isn't installed | Pass | |
| 2.1.4 | Ensure CUPS isn't installed | Pass | |
| 2.1.5 | Ensure DHCP Server isn't installed | Pass | |
| 2.1.6 | Ensure LDAP server isn't installed | Pass | |
| 2.1.7 | Ensure NFS isn't installed | Pass | |
| 2.1.8 | Ensure DNS Server isn't installed | Pass | |
| 2.1.9 | Ensure FTP Server isn't installed | Pass | |
| 2.1.10 | Ensure HTTP server isn't installed | Pass | |
| 2.1.11 | Ensure IMAP and POP3 server aren't installed | Pass | |
| 2.1.12 | Ensure Samba isn't installed | Pass | |
| 2.1.13 | Ensure HTTP Proxy Server isn't installed | Pass | |
| 2.1.14 | Ensure SNMP Server isn't installed | Pass | |
| 2.1.15 | Ensure mail transfer agent is configured for local-only mode | Pass | |
| 2.1.16 | Ensure rsync service isn't installed | Fail | |
| 2.1.17 | Ensure NIS Server isn't installed | Pass | |
| 2.2 | Service Clients | ||
| 2.2.1 | Ensure NIS Client isn't installed | Pass | |
| 2.2.2 | Ensure rsh client isn't installed | Pass | |
| 2.2.3 | Ensure talk client isn't installed | Pass | |
| 2.2.4 | Ensure telnet client isn't installed | Fail | |
| 2.2.5 | Ensure LDAP client isn't installed | Pass | |
| 2.2.6 | Ensure RPC isn't installed | Fail | Potential Operational Impact |
| 2.3 | Ensure nonessential services are removed or masked | Pass | |
| 3 | Network Configuration | ||
| 3.1 | Disable unused network protocols and devices | ||
| 3.1.2 | Ensure wireless interfaces are disabled | Pass | |
| 3.2 | Network Parameters (Host Only) | ||
| 3.2.1 | Ensure packet redirect sending is disabled | Pass | |
| 3.2.2 | Ensure IP forwarding is disabled | Fail | Not Applicable |
| 3.3 | Network Parameters (Host and Router) | ||
| 3.3.1 | Ensure source routed packets aren't accepted | Pass | |
| 3.3.2 | Ensure ICMP redirects aren't accepted | Pass | |
| 3.3.3 | Ensure secure ICMP redirects aren't accepted | Pass | |
| 3.3.4 | Ensure suspicious packets are logged | Pass | |
| 3.3.5 | Ensure broadcast ICMP requests are ignored | Pass | |
| 3.3.6 | Ensure bogus ICMP responses are ignored | Pass | |
| 3.3.7 | Ensure Reverse Path Filtering is enabled | Pass | |
| 3.3.8 | Ensure TCP SYN Cookies is enabled | Pass | |
| 3.3.9 | Ensure IPv6 router advertisements aren't accepted | Pass | |
| 3.4 | Uncommon Network Protocols | ||
| 3.5 | Firewall Configuration | ||
| 3.5.1 | Configure UncomplicatedFirewall | ||
| 3.5.1.1 | Ensure ufw is installed | Pass | |
| 3.5.1.2 | Ensure iptables-persistent is not installed with ufw | Pass | |
| 3.5.1.3 | Ensure ufw service is enabled | Fail | Covered Elsewhere |
| 3.5.1.4 | Ensure ufw loopback traffic is configured | Fail | Covered Elsewhere |
| 3.5.1.5 | Ensure ufw outbound connections are configured | Not Applicable | Covered Elsewhere |
| 3.5.1.6 | Ensure ufw firewall rules exist for all open ports | Not Applicable | Covered Elsewhere |
| 3.5.1.7 | Ensure ufw default deny firewall policy | Fail | Covered Elsewhere |
| 3.5.2 | Configure nftables | ||
| 3.5.2.1 | Ensure nftables is installed | Fail | Covered Elsewhere |
| 3.5.2.2 | Ensure ufw is uninstalled or disabled with nftables | Fail | Covered Elsewhere |
| 3.5.2.3 | Ensure iptables are flushed with nftables | Not Applicable | Covered Elsewhere |
| 3.5.2.4 | Ensure a nftables table exists | Fail | Covered Elsewhere |
| 3.5.2.5 | Ensure nftables base chains exist | Fail | Covered Elsewhere |
| 3.5.2.6 | Ensure nftables loopback traffic is configured | Fail | Covered Elsewhere |
| 3.5.2.7 | Ensure nftables outbound and established connections are configured | Not Applicable | Covered Elsewhere |
| 3.5.2.8 | Ensure nftables default deny firewall policy | Fail | Covered Elsewhere |
| 3.5.2.9 | Ensure nftables service is enabled | Fail | Covered Elsewhere |
| 3.5.2.10 | Ensure nftables rules are permanent | Fail | Covered Elsewhere |
| 3.5.3 | Configure iptables | ||
| 3.5.3.1 | Configure iptables software | ||
| 3.5.3.1.1 | Ensure iptables packages are installed | Fail | Covered Elsewhere |
| 3.5.3.1.2 | Ensure nftables is not installed with iptables | Pass | |
| 3.5.3.1.3 | Ensure ufw is uninstalled or disabled with iptables | Fail | Covered Elsewhere |
| 3.5.3.2 | Configure IPv4 iptables | ||
| 3.5.3.2.1 | Ensure iptables default deny firewall policy | Fail | Covered Elsewhere |
| 3.5.3.2.2 | Ensure iptables loopback traffic is configured | Fail | Not Applicable |
| 3.5.3.2.3 | Ensure iptables outbound and established connections are configured | Not Applicable | |
| 3.5.3.2.4 | Ensure iptables firewall rules exist for all open ports | Fail | Potential Operation Impact |
| 3.5.3.3 | Configure IPv6 ip6tables | ||
| 3.5.3.3.1 | Ensure ip6tables default deny firewall policy | Fail | Covered Elsewhere |
| 3.5.3.3.2 | Ensure ip6tables loopback traffic is configured | Fail | Covered Elsewhere |
| 3.5.3.3.3 | Ensure ip6tables outbound and established connections are configured | Not Applicable | Covered Elsewhere |
| 3.5.3.3.4 | Ensure ip6tables firewall rules exist for all open ports | Fail | Covered Elsewhere |
| 4 | Logging and Auditing | ||
| 4.1 | Configure System Accounting (auditd) | ||
| 4.1.1.2 | Ensure auditing is enabled | ||
| 4.1.2 | Configure Data Retention | ||
| 4.2 | Configure Logging | ||
| 4.2.1 | Configure rsyslog | ||
| 4.2.1.1 | Ensure rsyslog is installed | Pass | |
| 4.2.1.2 | Ensure rsyslog Service is enabled | Pass | |
| 4.2.1.3 | Ensure logging is configured | Pass | |
| 4.2.1.4 | Ensure rsyslog default file permissions configured | Pass | |
| 4.2.1.5 | Ensure rsyslog is configured to send logs to a remote log host | Fail | Covered Elsewhere |
| 4.2.1.6 | Ensure remote rsyslog messages are only accepted on designated log hosts. | Not Applicable | |
| 4.2.2 | Configure journald | ||
| 4.2.2.1 | Ensure journald is configured to send logs to rsyslog | Pass | |
| 4.2.2.2 | Ensure journald is configured to compress large log files | Fail | |
| 4.2.2.3 | Ensure journald is configured to write logfiles to persistent disk | Pass | |
| 4.2.3 | Ensure permissions on all logfiles are configured | Fail | |
| 4.3 | Ensure logrotate is configured | Pass | |
| 4.4 | Ensure logrotate assigns appropriate permissions | Fail | |
| 5 | Access, Authentication, and Authorization | ||
| 5.1 | Configure time-based job schedulers | ||
| 5.1.1 | Ensure cron daemon is enabled and running | Pass | |
| 5.1.2 | Ensure permissions on /etc/crontab are configured | Pass | |
| 5.1.3 | Ensure permissions on /etc/cron.hourly are configured | Pass | |
| 5.1.4 | Ensure permissions on /etc/cron.daily are configured | Pass | |
| 5.1.5 | Ensure permissions on /etc/cron.weekly are configured | Pass | |
| 5.1.6 | Ensure permissions on /etc/cron.monthly are configured | Pass | |
| 5.1.7 | Ensure permissions on /etc/cron.d are configured | Pass | |
| 5.1.8 | Ensure cron is restricted to authorized users | Fail | |
| 5.1.9 | Ensure at is restricted to authorized users | Fail | |
| 5.2 | Configure sudo | ||
| 5.2.1 | Ensure sudo is installed | Pass | |
| 5.2.2 | Ensure sudo commands use pty | Fail | Potential Operational Impact |
| 5.2.3 | Ensure sudo log file exists | Fail | |
| 5.3 | Configure SSH Server | ||
| 5.3.1 | Ensure permissions on /etc/ssh/sshd_config are configured | Pass | |
| 5.3.2 | Ensure permissions on SSH private host key files are configured | Pass | |
| 5.3.3 | Ensure permissions on SSH public host key files are configured | Pass | |
| 5.3.4 | Ensure SSH access is limited | Pass | |
| 5.3.5 | Ensure SSH LogLevel is appropriate | Pass | |
| 5.3.7 | Ensure SSH MaxAuthTries is set to 4 or less | Pass | |
| 5.3.8 | Ensure SSH IgnoreRhosts is enabled | Pass | |
| 5.3.9 | Ensure SSH HostbasedAuthentication is disabled | Pass | |
| 5.3.10 | Ensure SSH root login is disabled | Pass | |
| 5.3.11 | Ensure SSH PermitEmptyPasswords is disabled | Pass | |
| 5.3.12 | Ensure SSH PermitUserEnvironment is disabled | Pass | |
| 5.3.13 | Ensure only strong Ciphers are used | Pass | |
| 5.3.14 | Ensure only strong MAC algorithms are used | Pass | |
| 5.3.15 | Ensure only strong Key Exchange algorithms are used | Pass | |
| 5.3.16 | Ensure SSH Idle Timeout Interval is configured | Fail | |
| 5.3.17 | Ensure SSH LoginGraceTime is set to one minute or less | Pass | |
| 5.3.18 | Ensure SSH warning banner is configured | Pass | |
| 5.3.19 | Ensure SSH PAM is enabled | Pass | |
| 5.3.21 | Ensure SSH MaxStartups is configured | Fail | |
| 5.3.22 | Ensure SSH MaxSessions is limited | Pass | |
| 5.4 | Configure PAM | ||
| 5.4.1 | Ensure password creation requirements are configured | Pass | |
| 5.4.2 | Ensure lockout for failed password attempts is configured | Fail | |
| 5.4.3 | Ensure password reuse is limited | Fail | |
| 5.4.4 | Ensure password hashing algorithm is SHA-512 | Pass | |
| 5.5 | User Accounts and Environment | ||
| 5.5.1 | Set Shadow Password Suite Parameters | ||
| 5.5.1.1 | Ensure minimum days between password changes is configured | Pass | |
| 5.5.1.2 | Ensure password expiration is 365 days or less | Pass | |
| 5.5.1.3 | Ensure password expiration warning days is 7 or more | Pass | |
| 5.5.1.4 | Ensure inactive password lock is 30 days or less | Pass | |
| 5.5.1.5 | Ensure all users last password change date is in the past | Fail | |
| 5.5.2 | Ensure system accounts are secured | Pass | |
| 5.5.3 | Ensure default group for the root account is GID 0 | Pass | |
| 5.5.4 | Ensure default user umask is 027 or more restrictive | Pass | |
| 5.5.5 | Ensure default user shell timeout is 900 seconds or less | Fail | |
| 5.6 | Ensure root login is restricted to system console | Not Applicable | |
| 5.7 | Ensure access to the su command is restricted | Fail | Potential Operation Impact |
| 6 | System Maintenance | ||
| 6.1 | System File Permissions | ||
| 6.1.2 | Ensure permissions on /etc/passwd are configured | Pass | |
| 6.1.3 | Ensure permissions on /etc/passwd- are configured | Pass | |
| 6.1.4 | Ensure permissions on /etc/group are configured | Pass | |
| 6.1.5 | Ensure permissions on /etc/group- are configured | Pass | |
| 6.1.6 | Ensure permissions on /etc/shadow are configured | Pass | |
| 6.1.7 | Ensure permissions on /etc/shadow- are configured | Pass | |
| 6.1.8 | Ensure permissions on /etc/gshadow are configured | Pass | |
| 6.1.9 | Ensure permissions on /etc/gshadow- are configured | Pass | |
| 6.1.10 | Ensure no world writable files exist | Fail | Potential Operation Impact |
| 6.1.11 | Ensure no unowned files or directories exist | Fail | Potential Operation Impact |
| 6.1.12 | Ensure no ungrouped files or directories exist | Fail | Potential Operation Impact |
| 6.1.13 | Audit SUID executables | Not Applicable | |
| 6.1.14 | Audit SGID executables | Not Applicable | |
| 6.2 | User and Group Settings | ||
| 6.2.1 | Ensure accounts in /etc/passwd use shadowed passwords | Pass | |
| 6.2.2 | Ensure password fields aren't empty | Pass | |
| 6.2.3 | Ensure all groups in /etc/passwd exist in /etc/group | Pass | |
| 6.2.4 | Ensure all users' home directories exist | Pass | |
| 6.2.5 | Ensure users own their home directories | Pass | |
| 6.2.6 | Ensure users' home directories permissions are 750 or more restrictive | Pass | |
| 6.2.7 | Ensure users' dot files aren't group or world writable | Pass | |
| 6.2.8 | Ensure no users have .netrc files | Pass | |
| 6.2.9 | Ensure no users have .forward files | Pass | |
| 6.2.10 | Ensure no users have .rhosts files | Pass | |
| 6.2.11 | Ensure root is the only UID 0 account | Pass | |
| 6.2.12 | Ensure root PATH Integrity | Pass | |
| 6.2.13 | Ensure no duplicate UIDs exist | Pass | |
| 6.2.14 | Ensure no duplicate GIDs exist | Pass | |
| 6.2.15 | Ensure no duplicate user names exist | Pass | |
| 6.2.16 | Ensure no duplicate group names exist | Pass | |
| 6.2.17 | Ensure shadow group is empty | Pass |
Next steps
For more information about AKS security, see the following articles:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for