Center for Internet Security (CIS) Azure Linux benchmark

The security OS configuration applied to the Azure Linux Container Host for AKS image is based on the Azure Linux security baseline, which aligns with the CIS benchmark. As a secure service, AKS complies with SOC, ISO, PCI DSS, and HIPAA standards. For more information about the Azure Linux Container Host security, see Security concepts for clusters in AKS. To learn more about the CIS benchmark, see Center for Internet Security (CIS) Benchmarks. For more information on the Azure security baselines for Linux, see Linux security baseline.

Azure Linux 2.0

This Azure Linux Container Host operating system is based on the Azure Linux 2.0 image with built-in security configurations applied.

As part of the security-optimized operating system:

• AKS and Azure Linux provide a security-optimized host OS by default with no option to select an alternate operating system.
• The security-optimized host OS is built and maintained specifically for AKS and is not supported outside of the AKS platform.
• Unnecessary kernel module drivers have been disabled in the OS to reduce the attack surface.

Recommendations

The below table has four sections:

• CIS ID: The associated rule ID with each of the baseline rules.
• Recommendation description: A description of the recommendation issued by the CIS benchmark.
• Level: L1, or Level 1, recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.
• Status:
  • Pass - The recommendation has been applied.
  • Fail - The recommendation hasn't been applied.
  • N/A - The recommendation relates to manifest file permission requirements that aren't relevant to AKS.
  • Depends on Environment - The recommendation is applied in the user's specific environment and isn't controlled by AKS.
  • Equivalent Control - The recommendation has been implemented in a different equivalent manner.
• Reason:
  • Potential Operation Impact - The recommendation wasn't applied because it would have a negative effect on the service.
  • Covered Elsewhere - The recommendation is covered by another control in Azure cloud compute.

The following are the results from the CIS Azure Linux 2.0 Benchmark v1.0 recommendations based on the CIS rules:

CIS ID	Recommendation description	Status	Reason
1.1.4	Disable Automounting	Pass
1.1.1.1	Ensure mounting of cramfs filesystems is disabled	Pass
1.1.2.1	Ensure /tmp is a separate partition	Pass
1.1.2.2	Ensure nodev option set on /tmp partition	Pass
1.1.2.3	Ensure nosuid option set on /tmp partition	Pass
1.1.8.1	Ensure nodev option set on /dev/shm partition	Pass
1.1.8.2	Ensure nosuid option set on /dev/shm partition	Pass
1.2.1	Ensure DNF gpgcheck is globally activated	Pass
1.2.2	Ensure TDNF gpgcheck is globally activated	Pass
1.5.1	Ensure core dump storage is disabled	Pass
1.5.2	Ensure core dump backtraces are disabled	Pass
1.5.3	Ensure address space layout randomization (ASLR) is enabled	Pass
1.7.1	Ensure local login warning banner is configured properly	Pass
1.7.2	Ensure remote login warning banner is configured properly	Pass
1.7.3	Ensure permissions on /etc/motd are configured	Pass
1.7.4	Ensure permissions on /etc/issue are configured	Pass
1.7.5	Ensure permissions on /etc/issue.net are configured	Pass
2.1.1	Ensure time synchronization is in use	Pass
2.1.2	Ensure chrony is configured	Pass
2.2.1	Ensure xinetd isn't installed	Pass
2.2.2	Ensure xorg-x11-server-common isn't installed	Pass
2.2.3	Ensure avahi isn't installed	Pass
2.2.4	Ensure a print server isn't installed	Pass
2.2.5	Ensure a dhcp server isn't installed	Pass
2.2.6	Ensure a dns server isn't installed	Pass
2.2.7	Ensure FTP client isn't installed	Pass
2.2.8	Ensure an ftp server isn't installed	Pass
2.2.9	Ensure a tftp server isn't installed	Pass
2.2.10	Ensure a web server isn't installed	Pass
2.2.11	Ensure IMAP and POP3 server isn't installed	Pass
2.2.12	Ensure Samba isn't installed	Pass
2.2.13	Ensure HTTP Proxy Server isn't installed	Pass
2.2.14	Ensure net-snmp isn't installed or the snmpd service isn't enabled	Pass
2.2.15	Ensure NIS server isn't installed	Pass
2.2.16	Ensure telnet-server isn't installed	Pass
2.2.17	Ensure mail transfer agent is configured for local-only mode	Pass
2.2.18	Ensure nfs-utils isn't installed or the nfs-server service is masked	Pass
2.2.19	Ensure rsync-daemon isn't installed or the rsyncd service is masked	Pass
2.3.1	Ensure NIS Client isn't installed	Pass
2.3.2	Ensure rsh client isn't installed	Pass
2.3.3	Ensure talk client isn't installed	Pass
2.3.4	Ensure telnet client isn't installed	Pass
2.3.5	Ensure LDAP client isn't installed	Pass
2.3.6	Ensure TFTP client isn't installed	Pass
3.1.1	Ensure IPv6 is enabled	Pass
3.2.1	Ensure packet redirect sending is disabled	Pass
3.3.1	Ensure source routed packets aren't accepted	Pass
3.3.2	Ensure ICMP redirects aren't accepted	Pass
3.3.3	Ensure secure ICMP redirects aren't accepted	Pass
3.3.4	Ensure suspicious packets are logged	Pass
3.3.5	Ensure broadcast ICMP requests are ignored	Pass
3.3.6	Ensure bogus ICMP responses are ignored	Pass
3.3.7	Ensure Reverse Path Filtering is enabled	Pass
3.3.8	Ensure TCP SYN Cookies is enabled	Pass
3.3.9	Ensure IPv6 router advertisements aren't accepted	Pass
3.4.3.1.1	Ensure iptables package is installed	Pass
3.4.3.1.2	Ensure nftables isn't installed with iptables	Pass
3.4.3.1.3	Ensure firewalld is either not installed or masked with iptables	Pass
4.2	Ensure logrotate is configured	Pass
4.2.2	Ensure all log files have appropriate access configured	Pass
4.2.1.1	Ensure rsyslog is installed	Pass
4.2.1.2	Ensure rsyslog service is enabled	Pass
4.2.1.3	Ensure rsyslog default file permissions are configured	Pass
4.2.1.4	Ensure logging is configured	Pass
4.2.1.5	Ensure rsyslog isn't configured to receive logs from a remote client	Pass
5.1.1	Ensure cron daemon is enabled	Pass
5.1.2	Ensure permissions on /etc/crontab are configured	Pass
5.1.3	Ensure permissions on /etc/cron.hourly are configured	Pass
5.1.4	Ensure permissions on /etc/cron.daily are configured	Pass
5.1.5	Ensure permissions on /etc/cron.weekly are configured	Pass
5.1.6	Ensure permissions on /etc/cron.monthly are configured	Pass
5.1.7	Ensure permissions on /etc/cron.d are configured	Pass
5.1.8	Ensure cron is restricted to authorized users	Pass
5.1.9	Ensure at is restricted to authorized users	Pass
5.2.1	Ensure permissions on /etc/ssh/sshd_config are configured	Pass
5.2.2	Ensure permissions on SSH private host key files are configured	Pass
5.2.3	Ensure permissions on SSH public host key files are configured	Pass
5.2.4	Ensure SSH access is limited	Pass
5.2.5	Ensure SSH LogLevel is appropriate	Pass
5.2.6	Ensure SSH PAM is enabled	Pass
5.2.7	Ensure SSH root login is disabled	Pass
5.2.8	Ensure SSH HostbasedAuthentication is disabled	Pass
5.2.9	Ensure SSH PermitEmptyPasswords is disabled	Pass
5.2.10	Ensure SSH PermitUserEnvironment is disabled	Pass
5.2.11	Ensure SSH IgnoreRhosts is enabled	Pass
5.2.12	Ensure only strong Ciphers are used	Pass
5.2.13	Ensure only strong MAC algorithms are used	Pass
5.2.14	Ensure only strong Key Exchange algorithms are used	Pass
5.2.15	Ensure SSH warning banner is configured	Pass
5.2.16	Ensure SSH MaxAuthTries is set to 4 or less	Pass
5.2.17	Ensure SSH MaxStartups is configured	Pass
5.2.18	Ensure SSH LoginGraceTime is set to one minute or less	Pass
5.2.19	Ensure SSH MaxSessions is set to 10 or less	Pass
5.2.20	Ensure SSH Idle Timeout Interval is configured	Pass
5.3.1	Ensure sudo is installed	Pass
5.3.2	Ensure reauthentication for privilege escalation isn't disabled globally	Pass
5.3.3	Ensure sudo authentication timeout is configured correctly	Pass
5.4.1	Ensure password creation requirements are configured	Pass
5.4.2	Ensure lockout for failed password attempts is configured	Pass
5.4.3	Ensure password hashing algorithm is SHA-512	Pass
5.4.4	Ensure password reuse is limited	Pass
5.5.2	Ensure system accounts are secured	Pass
5.5.3	Ensure default group for the root account is GID 0	Pass
5.5.4	Ensure default user umask is 027 or more restrictive	Pass
5.5.1.1	Ensure password expiration is 365 days or less	Pass
5.5.1.2	Ensure minimum days between password changes are configured	Pass
5.5.1.3	Ensure password expiration warning days are 7 or more	Pass
5.5.1.4	Ensure inactive password lock is 30 days or less	Pass
5.5.1.5	Ensure all users last password change date is in the past	Pass
6.1.1	Ensure permissions on /etc/passwd are configured	Pass
6.1.2	Ensure permissions on /etc/passwd- are configured	Pass
6.1.3	Ensure permissions on /etc/group are configured	Pass
6.1.4	Ensure permissions on /etc/group- are configured	Pass
6.1.5	Ensure permissions on /etc/shadow are configured	Pass
6.1.6	Ensure permissions on /etc/shadow- are configured	Pass
6.1.7	Ensure permissions on /etc/gshadow are configured	Pass
6.1.8	Ensure permissions on /etc/gshadow- are configured	Pass
6.1.9	Ensure no unowned or ungrouped files or directories exist	Pass
6.1.10	Ensure world writable files and directories are secured	Pass
6.2.1	Ensure password fields aren't empty	Pass
6.2.2	Ensure all groups in /etc/passwd exist in /etc/group	Pass
6.2.3	Ensure no duplicate UIDs exist	Pass
6.2.4	Ensure no duplicate GIDs exist	Pass
6.2.5	Ensure no duplicate user names exist	Pass
6.2.6	Ensure no duplicate group names exist	Pass
6.2.7	Ensure root PATH Integrity	Pass
6.2.8	Ensure root is the only UID 0 account	Pass
6.2.9	Ensure all users' home directories exist	Pass
6.2.10	Ensure users' own their home directories	Pass
6.2.11	Ensure users' home directories permissions are 750 or more restrictive	Pass
6.2.12	Ensure users' dot files aren't group or world writable	Pass
6.2.13	Ensure users' .netrc files aren't group or world accessible	Pass
6.2.14	Ensure no users have .forward files	Pass
6.2.15	Ensure no users have .netrc files	Pass
6.2.16	Ensure no users have .rhosts files	Pass

Next steps

For more information about Azure Linux Container Host security, see the following articles:

• Azure Linux Container Host for AKS
• Security concepts for clusters in AKS