Skip to content

Commit d113148

Browse files
mattmcinnesmattmcinnes
authored
Acrolinx edits
1 parent 5e872be commit d113148

File tree

1 file changed

+32
-31
lines changed

1 file changed

+32
-31
lines changed

articles/aks/cis-ubuntu.md

Lines changed: 32 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,13 @@ title: Azure Kubernetes Service (AKS) Ubuntu image alignment with Center for Int
33
description: Learn how AKS applies the CIS benchmark
44
ms.topic: article
55
ms.date: 04/19/2023
6+
ms.author: mgoedtel
67
ms.reviewer: mattmcinnes
78
---
89

910
# Azure Kubernetes Service (AKS) Ubuntu image alignment with Center for Internet Security (CIS) benchmark
1011

11-
As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. This article covers the security OS configuration applied to Ubuntu imaged used by AKS. This security configuration is based on the Azure Linux security baseline which aligns with CIS benchmark. For more information about AKS security, see Security concepts for applications and clusters in Azure Kubernetes Service (AKS). For more information about AKS security, see [Security concepts for applications and clusters in Azure Kubernetes Service (AKS)](./concepts-security.md). For more information on the CIS benchmark, see [Center for Internet Security (CIS) Benchmarks][cis-benchmarks]. For more information on the Azure security baselines for Linux, see [Linux security baseline][linux-security-baseline].
12+
As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. This article covers the security OS configuration applied to Ubuntu imaged used by AKS. This security configuration is based on the Azure Linux security baseline, which aligns with CIS benchmark. For more information about AKS security, see Security concepts for applications and clusters in Azure Kubernetes Service (AKS). For more information about AKS security, see [Security concepts for applications and clusters in Azure Kubernetes Service (AKS)](./concepts-security.md). For more information on the CIS benchmark, see [Center for Internet Security (CIS) Benchmarks][cis-benchmarks]. For more information on the Azure security baselines for Linux, see [Linux security baseline][linux-security-baseline].
1213

1314
## Ubuntu LTS 18.04
1415

@@ -29,7 +30,7 @@ The following are the results from the [CIS Ubuntu 18.04 LTS Benchmark v2.1.0][c
2930

3031
Recommendations can have one of the following reasons:
3132

32-
* *Potential Operation Impact* - Recommendation was not applied because it would have a negative effect on the service.
33+
* *Potential Operation Impact* - Recommendation wasn't applied because it would have a negative effect on the service.
3334
* *Covered Elsewhere* - Recommendation is covered by another control in Azure cloud compute.
3435

3536
The following are CIS rules implemented:
@@ -70,7 +71,7 @@ The following are CIS rules implemented:
7071
| 1.3.1 | Ensure AIDE is installed | Fail | Covered Elsewhere |
7172
| 1.3.2 | Ensure filesystem integrity is regularly checked | Fail | Covered Elsewhere |
7273
| 1.4 | Secure Boot Settings |||
73-
| 1.4.1 | Ensure permissions on bootloader config are not overridden | Fail | |
74+
| 1.4.1 | Ensure permissions on bootloader config aren't overridden | Fail | |
7475
| 1.4.2 | Ensure bootloader password is set | Fail | Not Applicable|
7576
| 1.4.3 | Ensure permissions on bootloader config are configured | Fail | |
7677
| 1.4.4 | Ensure authentication required for single user mode | Fail | Not Applicable |
@@ -94,7 +95,7 @@ The following are CIS rules implemented:
9495
| 1.8 | GNOME Display Manager |||
9596
| 1.8.2 | Ensure GDM login banner is configured | Pass ||
9697
| 1.8.3 | Ensure disable-user-list is enabled | Pass ||
97-
| 1.8.4 | Ensure XDCMP is not enabled | Pass ||
98+
| 1.8.4 | Ensure XDCMP isn't enabled | Pass ||
9899
| 1.9 | Ensure updates, patches, and additional security software are installed | Pass ||
99100
| 2 | Services |||
100101
| 2.1 | Special Purpose Services |||
@@ -103,29 +104,29 @@ The following are CIS rules implemented:
103104
| 2.1.1.2 | Ensure systemd-timesyncd is configured | Not Applicable | AKS uses ntpd for timesync |
104105
| 2.1.1.3 | Ensure chrony is configured | Fail | Covered Elsewhere |
105106
| 2.1.1.4 | Ensure ntp is configured | Pass ||
106-
| 2.1.2 | Ensure X Window System is not installed | Pass ||
107-
| 2.1.3 | Ensure Avahi Server is not installed | Pass ||
108-
| 2.1.4 | Ensure CUPS is not installed | Pass ||
109-
| 2.1.5 | Ensure DHCP Server is not installed | Pass ||
110-
| 2.1.6 | Ensure LDAP server is not installed | Pass ||
111-
| 2.1.7 | Ensure NFS is not installed | Pass ||
112-
| 2.1.8 | Ensure DNS Server is not installed | Pass ||
113-
| 2.1.9 | Ensure FTP Server is not installed | Pass ||
114-
| 2.1.10 | Ensure HTTP server is not installed | Pass ||
115-
| 2.1.11 | Ensure IMAP and POP3 server are not installed | Pass ||
116-
| 2.1.12 | Ensure Samba is not installed | Pass ||
117-
| 2.1.13 | Ensure HTTP Proxy Server is not installed | Pass ||
118-
| 2.1.14 | Ensure SNMP Server is not installed | Pass ||
107+
| 2.1.2 | Ensure X Window System isn't installed | Pass ||
108+
| 2.1.3 | Ensure Avahi Server isn't installed | Pass ||
109+
| 2.1.4 | Ensure CUPS isn't installed | Pass ||
110+
| 2.1.5 | Ensure DHCP Server isn't installed | Pass ||
111+
| 2.1.6 | Ensure LDAP server isn't installed | Pass ||
112+
| 2.1.7 | Ensure NFS isn't installed | Pass ||
113+
| 2.1.8 | Ensure DNS Server isn't installed | Pass ||
114+
| 2.1.9 | Ensure FTP Server isn't installed | Pass ||
115+
| 2.1.10 | Ensure HTTP server isn't installed | Pass ||
116+
| 2.1.11 | Ensure IMAP and POP3 server aren't installed | Pass ||
117+
| 2.1.12 | Ensure Samba isn't installed | Pass ||
118+
| 2.1.13 | Ensure HTTP Proxy Server isn't installed | Pass ||
119+
| 2.1.14 | Ensure SNMP Server isn't installed | Pass ||
119120
| 2.1.15 | Ensure mail transfer agent is configured for local-only mode | Pass ||
120-
| 2.1.16 | Ensure rsync service is not installed | Fail | |
121-
| 2.1.17 | Ensure NIS Server is not installed | Pass ||
121+
| 2.1.16 | Ensure rsync service isn't installed | Fail | |
122+
| 2.1.17 | Ensure NIS Server isn't installed | Pass ||
122123
| 2.2 | Service Clients |||
123-
| 2.2.1 | Ensure NIS Client is not installed | Pass ||
124-
| 2.2.2 | Ensure rsh client is not installed | Pass ||
125-
| 2.2.3 | Ensure talk client is not installed | Pass ||
126-
| 2.2.4 | Ensure telnet client is not installed | Fail | |
127-
| 2.2.5 | Ensure LDAP client is not installed | Pass ||
128-
| 2.2.6 | Ensure RPC is not installed | Fail | Potential Operational Impact |
124+
| 2.2.1 | Ensure NIS Client isn't installed | Pass ||
125+
| 2.2.2 | Ensure rsh client isn't installed | Pass ||
126+
| 2.2.3 | Ensure talk client isn't installed | Pass ||
127+
| 2.2.4 | Ensure telnet client isn't installed | Fail | |
128+
| 2.2.5 | Ensure LDAP client isn't installed | Pass ||
129+
| 2.2.6 | Ensure RPC isn't installed | Fail | Potential Operational Impact |
129130
| 2.3 | Ensure nonessential services are removed or masked | Pass | |
130131
| 3 | Network Configuration |||
131132
| 3.1 | Disable unused network protocols and devices |||
@@ -134,15 +135,15 @@ The following are CIS rules implemented:
134135
| 3.2.1 | Ensure packet redirect sending is disabled | Pass ||
135136
| 3.2.2 | Ensure IP forwarding is disabled | Fail | Not Applicable |
136137
| 3.3 | Network Parameters (Host and Router) |||
137-
| 3.3.1 | Ensure source routed packets are not accepted | Pass ||
138-
| 3.3.2 | Ensure ICMP redirects are not accepted | Pass ||
139-
| 3.3.3 | Ensure secure ICMP redirects are not accepted | Pass ||
138+
| 3.3.1 | Ensure source routed packets aren't accepted | Pass ||
139+
| 3.3.2 | Ensure ICMP redirects aren't accepted | Pass ||
140+
| 3.3.3 | Ensure secure ICMP redirects aren't accepted | Pass ||
140141
| 3.3.4 | Ensure suspicious packets are logged | Pass ||
141142
| 3.3.5 | Ensure broadcast ICMP requests are ignored | Pass ||
142143
| 3.3.6 | Ensure bogus ICMP responses are ignored | Pass ||
143144
| 3.3.7 | Ensure Reverse Path Filtering is enabled | Pass ||
144145
| 3.3.8 | Ensure TCP SYN Cookies is enabled | Pass ||
145-
| 3.3.9 | Ensure IPv6 router advertisements are not accepted | Pass ||
146+
| 3.3.9 | Ensure IPv6 router advertisements aren't accepted | Pass ||
146147
| 3.4 | Uncommon Network Protocols |||
147148
| 3.5 | Firewall Configuration |||
148149
| 3.5.1 | Configure UncomplicatedFirewall |||
@@ -269,12 +270,12 @@ The following are CIS rules implemented:
269270
| 6.1.14 | Audit SGID executables | Not Applicable | |
270271
| 6.2 | User and Group Settings |||
271272
| 6.2.1 | Ensure accounts in /etc/passwd use shadowed passwords | Pass ||
272-
| 6.2.2 | Ensure password fields are not empty | Pass ||
273+
| 6.2.2 | Ensure password fields aren't empty | Pass ||
273274
| 6.2.3 | Ensure all groups in /etc/passwd exist in /etc/group | Pass ||
274275
| 6.2.4 | Ensure all users' home directories exist | Pass ||
275276
| 6.2.5 | Ensure users own their home directories | Pass ||
276277
| 6.2.6 | Ensure users' home directories permissions are 750 or more restrictive | Pass ||
277-
| 6.2.7 | Ensure users' dot files are not group or world writable | Pass ||
278+
| 6.2.7 | Ensure users' dot files aren't group or world writable | Pass ||
278279
| 6.2.8 | Ensure no users have .netrc files | Pass ||
279280
| 6.2.9 | Ensure no users have .forward files | Pass ||
280281
| 6.2.10 | Ensure no users have .rhosts files | Pass ||

0 commit comments

Comments
 (0)