init

Author: Brian Tray

articles/operator-nexus/concepts-security.md

@@ -1,7 +1,7 @@
 ---
 title: "Azure Operator Nexus: Security concepts"
-description: Security overview for Azure Operator Nexus 
-author: scottsteinbrueck 
+description: Security overview for Azure Operator Nexus
+author: scottsteinbrueck
 ms.author: ssteinbrueck
 ms.service: azure-operator-nexus
 ms.topic: conceptual
@@ -11,13 +11,13 @@ ms.custom: template-concept
 
 # Azure Operator Nexus security
 
-Azure Operator Nexus is designed and built to both detect and defend against 
-the latest security threats and comply with the strict requirements of government 
-and industry security standards. Two cornerstones form the foundation of its 
+Azure Operator Nexus is designed and built to both detect and defend against
+the latest security threats and comply with the strict requirements of government
+and industry security standards. Two cornerstones form the foundation of its
 security architecture:
 
 * **Security by default** - Security resiliency is an inherent part of the platform with little to no configuration changes needed to use it securely.
-* **Assume breach** - The underlying assumption is that any system can be compromised, and as such the goal is to minimize the impact of a security breach if one occurs. 
+* **Assume breach** - The underlying assumption is that any system can be compromised, and as such the goal is to minimize the impact of a security breach if one occurs.
 
 Azure Operator Nexus realizes the above by leveraging Microsoft cloud-native security tools that give you the ability to improve your cloud security posture while allowing you to protect your operator workloads.
 
@@ -50,3 +50,54 @@ You have the option to enable Defender for Containers protection within Defender
 It is important to understand that in a cloud environment, security is a [shared responsibility](../security/fundamentals/shared-responsibility.md) between you and the cloud provider. The responsibilities vary depending on the type of cloud service your workloads run on, whether it is Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), as well as where the workloads are hosted – within the cloud provider’s or your own on-premises datacenters.
 
 Azure Operator Nexus workloads run on servers in your datacenters, so you are in control of changes to your on-premises environment. Microsoft periodically makes new platform releases available that contain security and other updates. You must then decide when to apply these releases to your environment as appropriate for your organization’s business needs.
+
+## Kubernetes Security Benchmark Scanning
+
+Industry standard security benchmarking tools are used to scan the Azure Operator Nexus platform for security compliance. These tools include [OpenSCAP](https://public.cyber.mil/stigs/scap/), to evaluate compliance with Kubernetes Security Technical Implementation Guide (STIG) controls, and Aqua Security’s [Kube-Bench](https://github.com/aquasecurity/kube-bench/tree/main), to evaluate compliance with the Center for Internet Security (CIS) Kubernetes Benchmarks.
+
+Some controls are not technically feasible to implement in the Azure Operator Nexus environment, and these excepoted controls are documented below for the applicable Nexus layers.
+
+Environmental controls such as RBAC and Service Account tests are not evaluated by these tools, as they may be differ based on customer requirements.
+
+**NTF = Not Technically Feasible**
+
+### OpenSCAP STIG
+
+*Undercloud*
+
+:::image type="content" source="media/security/undercloud-openscap.png" alt-text="Screenshot of OpenSCAP STIG exceptions" lightbox="media/security/media/security/undercloud-openscap.png":::
+
+| STIG ID | Recommendation description|Status|Issue|
+|---|---|---|---|
+|V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
+|V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
+|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore are not captured in the audit logs|
+|V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANS contains hostname only|
+|V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANS contains hostname only|
+|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection is not applicable for kubeadm in Nexus|
+
+*Nexus Kubernetes/NAKS*
+
+*Cluster Manager - Azure Kubernetes*
+
+### Aquasec Kube-Bench
+
+*Undercloud*
+
+:::image type="content" source="media/security/undercloud-kubebench.png" alt-text="Screenshot of Kube-Bench exceptions" lightbox="media/security/media/security/undercloud-kubebench.png":::
+
+| CIS ID | Recommendation description|Status|Issue|
+|---|---|---|---|
+|1|Control Plane Components|||
+|1.1|Control Plane Node Configuration Files|||
+|1.1.12|Ensure that the etcd data directory ownership is set to etcd:etcd|NTF|Nexus is root:root, etcd user is not configured for kubeadm|
+|1.2|API Server||||
+|1.1.12|Ensure that the --kubelet-certificate-authority argument is set as appropriate|NTF|Kubelet SANS includes hostname only|
+
+
+*Nexus Kubernetes/NAKS*
+
+*Cluster Manager*
+
+The Operator Nexus Cluster Manager is an AKS implementation. The CIS benchmark report for AKS can be found [here](https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes) to review the tested controls and results.
+