Merge pull request #291501 from btray900/btray900/sec-scan-info

[operator-nexus] Add security scanning excepted control info

Author: JamesJBarnett

articles/operator-nexus/concepts-security.md

@@ -1,7 +1,7 @@
 ---
 title: "Azure Operator Nexus: Security concepts"
-description: Security overview for Azure Operator Nexus 
-author: scottsteinbrueck 
+description: Security overview for Azure Operator Nexus
+author: scottsteinbrueck
 ms.author: ssteinbrueck
 ms.service: azure-operator-nexus
 ms.topic: conceptual
@@ -11,13 +11,13 @@ ms.custom: template-concept
 
 # Azure Operator Nexus security
 
-Azure Operator Nexus is designed and built to both detect and defend against 
-the latest security threats and comply with the strict requirements of government 
-and industry security standards. Two cornerstones form the foundation of its 
+Azure Operator Nexus is designed and built to both detect and defend against
+the latest security threats and comply with the strict requirements of government
+and industry security standards. Two cornerstones form the foundation of its
 security architecture:
 
 * **Security by default** - Security resiliency is an inherent part of the platform with little to no configuration changes needed to use it securely.
-* **Assume breach** - The underlying assumption is that any system can be compromised, and as such the goal is to minimize the impact of a security breach if one occurs. 
+* **Assume breach** - The underlying assumption is that any system can be compromised, and as such the goal is to minimize the impact of a security breach if one occurs.
 
 Azure Operator Nexus realizes the above by leveraging Microsoft cloud-native security tools that give you the ability to improve your cloud security posture while allowing you to protect your operator workloads.
 
@@ -47,6 +47,87 @@ You have the option to enable Defender for Containers protection within Defender
 
 ## Cloud security is a shared responsibility
 
-It is important to understand that in a cloud environment, security is a [shared responsibility](../security/fundamentals/shared-responsibility.md) between you and the cloud provider. The responsibilities vary depending on the type of cloud service your workloads run on, whether it is Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), as well as where the workloads are hosted – within the cloud provider’s or your own on-premises datacenters.
+It's important to understand that in a cloud environment, security is a [shared responsibility](../security/fundamentals/shared-responsibility.md) between you and the cloud provider. The responsibilities vary depending on the type of cloud service your workloads run on, whether it is Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS), as well as where the workloads are hosted – within the cloud provider’s or your own on-premises datacenters.
 
 Azure Operator Nexus workloads run on servers in your datacenters, so you are in control of changes to your on-premises environment. Microsoft periodically makes new platform releases available that contain security and other updates. You must then decide when to apply these releases to your environment as appropriate for your organization’s business needs.
+
+## Kubernetes Security Benchmark Scanning
+
+Industry standard security benchmarking tools are used to scan the Azure Operator Nexus platform for security compliance. These tools include [OpenSCAP](https://public.cyber.mil/stigs/scap/), to evaluate compliance with Kubernetes Security Technical Implementation Guide (STIG) controls, and Aqua Security’s [Kube-Bench](https://github.com/aquasecurity/kube-bench/tree/main), to evaluate compliance with the Center for Internet Security (CIS) Kubernetes Benchmarks.
+
+Some controls aren't technically feasible to implement in the Azure Operator Nexus environment, and these excepted controls are documented below for the applicable Nexus layers.
+
+Environmental controls such as RBAC and Service Account tests aren't evaluated by these tools, as the outcomes may differ based on customer requirements.
+
+**NTF = Not Technically Feasible**
+
+### OpenSCAP STIG - V2R2
+
+*Cluster*
+
+:::image type="content" source="media/security/nexus-cluster-openscap.png" alt-text="Screenshot of Cluster OpenSCAP exceptions." lightbox="media/security/nexus-cluster-openscap.png":::
+
+|STIG ID|Recommendation description|Status|Issue|
+|---|---|---|---|
+|V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
+|V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
+|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore aren't captured in the audit logs|
+|V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANs contains hostname only|
+|V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANs contains hostname only|
+|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection isn't feasible for kubeadm in Nexus|
+
+
+*Nexus Kubernetes Cluster*
+
+:::image type="content" source="media/security/nexus-kubernetes-cluster-openscap.png" alt-text="Screenshot of Nexus Kubernetes Cluster OpenSCAP exceptions." lightbox="media/security/nexus-kubernetes-cluster-openscap.png":::
+
+|STIG ID|Recommendation description|Status|Issue|
+|---|---|---|---|
+|V-242386|The Kubernetes API server must have the insecure port flag disabled|NTF|This check is deprecated in v1.24.0 and greater|
+|V-242397|The Kubernetes kubelet staticPodPath must not enable static pods|NTF|Only enabled for control nodes, required for kubeadm|
+|V-242403|Kubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event|NTF|Certain API requests and responses contain secrets and therefore aren't captured in the audit logs|
+|V-242424|Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service|NTF|Kubelet SANs contains hostname only|
+|V-242425|Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.|NTF|Kubelet SANs contains hostname only|
+|V-242434|Kubernetes Kubelet must enable kernel protection.|NTF|Enabling kernel protection isn't feasible for kubeadm in Nexus|
+
+
+*Cluster Manager - Azure Kubernetes*
+
+As a secure service, Azure Kubernetes Service (AKS) complies with SOC, ISO, PCI DSS, and HIPAA standards. The following image shows the OpenSCAP file permission exceptions for the Cluster Manager AKS implementation.
+
+:::image type="content" source="media/security/nexus-cluster-manager-openscap.png" alt-text="Screenshot of Cluster Manager OpenSCAP exceptions." lightbox="media/security/nexus-cluster-manager-openscap.png":::
+
+
+### Aquasec Kube-Bench - CIS 1.9
+
+*Cluster*
+
+:::image type="content" source="media/security/nexus-cluster-kubebench.png" alt-text="Screenshot of Cluster Kube-Bench exceptions." lightbox="media/security/nexus-cluster-kubebench.png":::
+
+|CIS ID|Recommendation description|Status|Issue|
+|---|---|---|---|
+|1|Control Plane Components|||
+|1.1|Control Plane Node Configuration Files|||
+|1.1.12|Ensure that the etcd data directory ownership is set to `etcd:etcd`|NTF|Nexus is `root:root`, etcd user isn't configured for kubeadm|
+|1.2|API Server|||
+|1.1.12|Ensure that the `--kubelet-certificate-authority` argument is set as appropriate|NTF|Kubelet SANs includes hostname only|
+
+
+*Nexus Kubernetes Cluster*
+
+:::image type="content" source="media/security/nexus-kubernetes-cluster-kubebench.png" alt-text="Screenshot of Nexus Kubernetes Cluster Kube-Bench exceptions." lightbox="media/security/nexus-kubernetes-cluster-kubebench.png":::
+
+|CIS ID|Recommendation description|Status|Issue|
+|---|---|---|---|
+|1|Control Plane Components|||
+|1.1|Control Plane Node Configuration Files|||
+|1.1.12|Ensure that the etcd data directory ownership is set to `etcd:etcd`|NTF|Nexus is `root:root`, etcd user isn't configured for kubeadm|
+|1.2|API Server|||
+|1.1.12|Ensure that the `--kubelet-certificate-authority` argument is set as appropriate|NTF|Kubelet SANs includes hostname only|
+
+
+*Cluster Manager - Azure Kubernetes*
+
+The Operator Nexus Cluster Manager is an AKS implementation. The following image shows the Kube-Bench exceptions for the Cluster Manager. A full report of CIS Benchmark control evaluation for Azure Kubernetes Service (AKS) can be found [here](/azure/aks/cis-kubernetes)
+
+:::image type="content" source="media/security/nexus-cluster-manager-kubebench.png" alt-text="Screenshot of Cluster Manager Kube-Bench exceptions." lightbox="media/security/nexus-cluster-manager-kubebench.png":::