Skip to content

docs: disa-stig hardening guide #1882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
+487 −38
Open

docs: disa-stig hardening guide #1882

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c2e5c1b
disa-stig hardening guide
louiseschmidtgen Oct 1, 2025
fe674bb
fixes
louiseschmidtgen Oct 1, 2025
80b9f7f
move disa-stig hardening to install, updates to assessment page
louiseschmidtgen Oct 2, 2025
d89ee82
comments
louiseschmidtgen Oct 2, 2025
a22ea6f
comments
louiseschmidtgen Oct 6, 2025
0e252d4
apply Niamh's changes
louiseschmidtgen Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/canonicalk8s/.sphinx/.wordlist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ Charmhub
CLI
DCO
Diátaxis
disa
Dqlite
dropdown
EBS
Expand Down Expand Up @@ -46,18 +47,22 @@ OEM
OLM
Permalink
pre
PSS
Quickstart
ReadMe
reST
reStructuredText
roadmap
RTD
stateful
stig
subdirectories
subfolders
subtree
TODO
Ubuntu
UI
usg
UUID
VM
webhook
Expand Down
4 changes: 2 additions & 2 deletions docs/canonicalk8s/charm/howto/contribute.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,8 +119,8 @@ and formatting contained in the [_parts][] directory of the docs.
### Local testing

To test your changes locally, you can build a local version of the
documentation. Open a terminal and go to the `/docs/tools` directory. From
there you can run the command:
documentation. Open a terminal and go to the `/docs/canonicalk8s` directory.
From there you can run the command:

```
make run
Expand Down
4 changes: 2 additions & 2 deletions docs/canonicalk8s/snap/howto/contribute.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,8 +184,8 @@ and formatting contained in the [_parts][] directory of the docs.
### Local testing

To test your changes locally, you can build a local version of the
documentation. Open a terminal and go to the `/docs/tools` directory. From
there you can run the command:
documentation. Open a terminal and go to the `/docs/canonicalk8s` directory.
From there you can run the command:

```
make run
Expand Down
97 changes: 86 additions & 11 deletions docs/canonicalk8s/snap/howto/security/disa-stig-assessment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ However, additional hardening steps are required to fully meet the standard.

This guide assumes the following:

- You have a bootstrapped {{product}} cluster (see the [getting started] guide)
- You have a bootstrapped {{product}} cluster using the DISA STIG bootstrap
template (see the [disa-stig hardening] guide)
- You have root or sudo access to the machine
- You have reviewed the [post-deployment hardening] guide and have applied the
hardening steps that are relevant to your use-case
Expand All @@ -34,11 +35,21 @@ does not package, etc.
administrator or a user policy needs to be followed.


| Class | Guideline |
| ------ | ----- |
| `Deployment` (70) | V-242379, V-242380, V-242381, V-242382, V-242387, V-242388, V-242389, V-242391, V-242392, V-242397, V-242400, V-242405, V-242406, V-242407, V-242408, V-242409, V-242418, V-242419, V-242420, V-242421, V-242422, V-242423, V-242426, V-242427, V-242428, V-242429, V-242430, V-242431, V-242432, V-242433, V-242434, V-242436, V-242444, V-242445, V-242446, V-242447, V-242448, V-242449, V-242450, V-242451, V-242452, V-242453, V-242456, V-242457, V-242459, V-242460, V-242466, V-242467, V-245542, V-245543, V-245544, V-254801, V-242376, V-242377, V-242378, V-242384, V-242385, V-242390, V-242402, V-242403, V-242404, V-242424, V-242425, V-242438, V-242461, V-242462, V-242463, V-242464, V-242465, V-245541 |
| `Not Applicable` (13) | V-242386, V-242393, V-242394, V-242395, V-242396, V-242398, V-242399, V-242437, V-242442, V-242443, V-242454, V-242455 |
| `Manual` (8) | V-242383, V-242410, V-242411, V-242412, V-242413, V-242414, V-242415, V-242417, V-254800 |
| Class | Guideline |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Deployment` (70) | V-242379, V-242380, V-242381, V-242382, V-242387, V-242388, V-242389, V-242391, V-242392, V-242397, V-242400, V-242405, V-242406, V-242407, V-242408, V-242409, V-242418, V-242419, V-242420, V-242421, V-242422, V-242423, V-242426, V-242427, V-242428, V-242429, V-242430, V-242431, V-242432, V-242433, V-242434, V-242436, V-242444, V-242445, V-242446, V-242447, V-242448, V-242449, V-242450, V-242451, V-242452, V-242453, V-242456, V-242457, V-242459, V-242460, V-242466, V-242467, V-245542, V-245543, V-245544, V-254801, V-242376, V-242377, V-242378, V-242384, V-242385, V-242390, V-242402, V-242403, V-242404, V-242424, V-242425, V-242438, V-242461, V-242462, V-242463, V-242464, V-242465, V-245541 |
| `Not Applicable` (13) | V-242386, V-242393, V-242394, V-242395, V-242396, V-242398, V-242399, V-242437, V-242442, V-242443, V-242454, V-242455 |
| `Manual` (8) | V-242383, V-242410, V-242411, V-242412, V-242413, V-242414, V-242415, V-242417, V-254800 |

## Known Limitations

- The Kubernetes cluster upgrade process may require an additional step
of installing a new core snap before the k8s snap gets refreshed
- Cluster orchestration with CAPI and Juju are not supported
- Manually updating the docker image tags used by default on
{{ product }} may result in a non-FIPS compliant setup
- {{ product }} services will crash on a host with FIPS kernel
but not with core22 from the FIPS channel

## [V-242381]

Expand Down Expand Up @@ -619,6 +630,32 @@ The final line of the output will be `PASS`.
> cryptographic keys, API tokens, etc).
>

### Remediation

Canonical Kubernetes follows this rule by default, but it’s up to users to
follow in pods they create.


### Auditing (as root)

The environment of each user-created pod should be inspected using the
command below to ensure there is no sensitive information (e.g. passwords,
cryptographic keys, API tokens, etc).

```bash
sudo k8s kubectl exec -it <pod-name> -n <namespace> -- env
```

When creating additional pods, deployments, stateful sets, and daemon sets,
do not place or reference secrets in their environment. To verify that there
are no secrets present you should check the output of:

```bash
sudo k8s kubectl get pods --all-namespaces -o yaml| grep -A5 "env:"
sudo k8s kubectl get deployments --all-namespaces -o yaml| grep -A5 "env:"
sudo k8s kubectl get daemonset --all-namespaces -o yaml| grep -A5 "env:"
sudo k8s kubectl get statefulset --all-namespaces -o yaml| grep -A5 "env:"
```


## [V-242434]
Expand Down Expand Up @@ -647,10 +684,10 @@ The final line of the output will be `PASS`.
> This flag is not set by default in the k8s-snap, as it may prevent kubelet
> from starting normally unless the kernel settings are as Kubelet expects.
>
> Please review the hardening guide for information on how to properly
> Please review the disa-stig hardening guide for information on how to properly
> configure the Node's Operating System for Kubelet.
>
> https://documentation.ubuntu.com/canonical-kubernetes/latest/snap/howto/security/hardening/
> https://documentation.ubuntu.com/canonical-kubernetes/latest/snap/howto/security/disa-stig-hardening/
>


Expand Down Expand Up @@ -1083,7 +1120,8 @@ configured
> Administrator on a per-organization basis.
>
> Instructions on how to configure an `--admission-control-config-file` for the
> Kube API Server of the k8s-snap can be found in the [hardening guide page].
> Kube API Server of the k8s-snap can be found in the [disa-stig hardening]
> guide.
>


Expand Down Expand Up @@ -2212,6 +2250,16 @@ results
> https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-kubectl-potential-directory-traversal-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-1002101/5712
>

### Remediation

This requirement can be satisfied by using the kubectl command built into the
k8s snap (available via `k8s kubectl …`) or the kubectl snap from tracks
`1.13+`:

```bash
snap install kubectl --classic
```



## [V-242398]
Expand Down Expand Up @@ -3123,7 +3171,11 @@ Category Assurance List (PPSM CAL)
>
> Please, consult the [ports and services] page on the ports, protocols and
> services used by {{product}}.

>
> Update the PPSM list for your cluster anytime the list of ports,
> protocols, and services used by your cluster changes. For instance, this
> list will need to be updated each time a new service is exposed
> externally.


## [V-242411]
Expand Down Expand Up @@ -3156,6 +3208,11 @@ Category Assurance List (PPSM CAL)
>
> Please, consult the [ports and services] page on the ports, protocols and
> services used by {{product}}.
>
> Update the PPSM list for your cluster anytime the list of ports,
> protocols, and services used by your cluster changes. For instance, this
> list will need to be updated each time a new service is exposed
> externally.



Expand Down Expand Up @@ -3189,6 +3246,11 @@ Category Assurance List (PPSM CAL)
>
> Please, consult the [ports and services] page on the ports, protocols and
> services used by {{product}}.
>
> Update the PPSM list for your cluster anytime the list of ports,
> protocols, and services used by your cluster changes. For instance, this
> list will need to be updated each time a new service is exposed
> externally.



Expand Down Expand Up @@ -3221,6 +3283,12 @@ Assurance List (PPSM CAL)
>
> Please, consult the [ports and services] page on the ports, protocols and
> services used by {{product}}.
>
> Update the PPSM list for your cluster anytime the list of ports,
> protocols, and services used by your cluster changes. For instance, this
> list will need to be updated each time a new service is exposed
> externally.


````

Expand All @@ -3236,6 +3304,13 @@ Assurance List (PPSM CAL)
>
> https://www.esd.whs.mil/portals/54/documents/dd/issuances/dodi/855101p.pdf
>
> Please, consult the [ports and services] page on the ports, protocols and
> services used by {{product}}.
>
> Update the PPSM list for your cluster anytime the list of ports,
> protocols, and services used by your cluster changes. For instance, this
> list will need to be updated each time a new service is exposed
> externally.

````

Expand Down Expand Up @@ -7189,7 +7264,7 @@ The final line of the output will be `PASS`.


<!-- Links -->
[getting started]: ../../tutorial/getting-started
[disa-stig hardening]: disa-stig-hardening.md
[ports and services]:/snap/reference/ports-and-services.md
[post-deployment hardening]: hardening.md
[Kubernetes STIG]:https://stigviewer.com/stigs/kubernetes/
Expand Down
Loading
Loading