forked from elastic/csp-security-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
data.yaml
41 lines (38 loc) · 1.5 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
metadata:
id: 75faeb95-6d19-5205-85b9-4bb1471292c4
name: Ensure that the --profiling argument is set to false
rule_number: 1.3.2
profile_applicability: '* Level 1 - Master Node'
description: Disable profiling, if not needed.
rationale: |-
Profiling allows for the identification of specific performance bottlenecks.
It generates a significant amount of program data that could potentially be exploited to uncover system and program details.
If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.
audit: |-
Run the following command on the Control Plane node:
```
ps -ef | grep kube-controller-manager
```
Verify that the `--profiling` argument is set to `false`.
remediation: |-
Edit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the Control Plane node and set the below parameter.
```
--profiling=false
```
impact: Profiling information would not be available.
default_value: |
By default, profiling is enabled.
references: |-
1. https://kubernetes.io/docs/admin/kube-controller-manager/
2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md
section: Controller Manager
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 1.3.2
- Controller Manager
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s