1. What Is Stig Viewer
  2. Stig Viewer Exe

A STIG describes how to minimize network-based attacks and prevent system access when the attacker is interfacing with the system, either physically at the machine or over a network. STIGs also describe maintenance processes such as software updates and vulnerability patching. STIG Viewer Version 2.11 Change Log 67.5 KB 10 Aug 2020. STIG Viewer Video — 14 Jun 2018. Storage Area Network STIG - Ver 2, Rel 4 1.1 MB 26 Jul 2019.

Stig viewer rhel 7Stig viewer 2.14

Findings (MAC III - Administrative Sensitive)

Stig

What Is Stig Viewer

Stig viewer 2.0

Stig Viewer Exe

Finding IDSeverityTitleDescription
V-242388HighThe Kubernetes API server must have the insecure bind address not set.By default, the API server will listen on two ports and addresses. One address is the secure address and the other address is called the 'insecure bind' address and is set by default to localhost. ...
V-242381HighThe Kubernetes Controller Manager must create unique service accounts for each work payload.The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated ...
V-242383HighUser-managed resources must be created in dedicated namespaces.Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server ...
V-242386HighThe Kubernetes API server must have the insecure port flag disabled.By default, the API server will listen on two ports. One port is the secure port and the other port is called the 'localhost port'. This port is also called the 'insecure port', port 8080. Any ...
V-242387HighThe Kubernetes Kubelet must have the read-only port flag disabled.Kubelet serves a small REST API with read access to port 10255. The read-only port for Kubernetes provides no authentication or authorization security control. Providing unrestricted access on ...
V-242392HighThe Kubernetes kubelet must enable explicit authorization.Kubelet is the primary agent on each node. The API server communicates with each kubelet to perform tasks such as starting/stopping pods. By default, kubelets allow all authenticated requests, ...
V-242391HighThe Kubernetes Kubelet must have anonymous authentication disabled.A user who has access to the Kubelet essentially has root access to the nodes contained within the Kubernetes Control Plane. To control access, users must be authenticated and authorized. By ...
V-242390HighThe Kubernetes API server must have anonymous authentication disabled.The Kubernetes API Server controls Kubernetes via an API interface. A user who has access to the API essentially has root access to the entire Kubernetes cluster. To control access, users must be ...
V-242397HighThe Kubernetes kubelet static PodPath must not enable static pods.Allowing kubelet to set a staticPodPath gives containers with root access permissions to traverse the hosting filesystem. The danger comes when the container can create a manifest file within the ...
V-242415HighSecrets in Kubernetes must not be stored as environment variables.Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside Kubernetes by the 'Get Pod' API call, ...
V-242436HighThe Kubernetes API server must have the ValidatingAdmissionWebhook enabled.Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated, or deleted. By applying a pod security policy, control can be given ...
V-242437HighKubernetes must have a pod security policy set.Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated, or deleted. By applying a pod security policy, control can be given ...
V-242434HighKubernetes Kubelet must enable kernel protection.System kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources ...
V-242435HighKubernetes must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures or the installation of patches and updates.Kubernetes uses the API Server to control communication to the other services that makeup Kubernetes. The use of authorizations and not the default of 'AlwaysAllow' enables the Kubernetes ...
V-242439HighKubernetes API Server must disable basic authentication to protect information in transit.Kubernetes basic authentication sends and receives request containing username, uid, groups, and other fields over a clear text HTTP communication. Basic authentication does not provide any ...
V-242389MediumThe Kubernetes API server must have the secure port set.By default, the API server will listen on what is rightfully called the secure port, port 6443. Any requests to this port will perform authentication and authorization checks. If this port is ...
V-242380MediumThe Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.The use of unsupported protocol exposes vulnerabilities to the ...
V-242382MediumThe Kubernetes API Server must enable Node,RBAC as the authorization mode.To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web ...
V-242384MediumThe Kubernetes Scheduler must have secure binding.Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is paramount when securing the overall Kubernetes cluster. The ...
V-242385MediumThe Kubernetes Controller Manager must have secure binding.Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is paramount when securing the overall Kubernetes cluster. The ...
V-242468MediumThe Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0.The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.The use of unsupported protocol exposes vulnerabilities to ...
V-242461MediumKubernetes API Server audit logs must be enabled.Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share state. Enabling audit logs provides a ...
V-242460MediumThe Kubernetes admin.conf must have file permissions set to 644 or more restrictive.The Kubernetes conf files contain the arguments and settings for the Master Node services. These services are controller and scheduler. If these files can be changed, the scheduler will be ...
V-242463MediumThe Kubernetes API Server must be set to audit log maximum backup.The Kubernetes API Server must set enough storage to retain logs for monitoring suspicious activity and system misconfiguration, and provide evidence for Cyber Security Investigations.
V-242462MediumThe Kubernetes API Server must be set to audit log max size.The Kubernetes API Server must be set for enough storage to retain log information over the period required. When audit logs are large in size, the monitoring service for events becomes degraded. ...
V-242465MediumThe Kubernetes API Server audit log path must be set.Kubernetes API Server validates and configures pods and services for the API object. The REST operation provides frontend functionality to the cluster share state. Audit logs are necessary to ...
V-242464MediumThe Kubernetes API Server audit log retention must be set.The Kubernetes API Server must set enough storage to retain logs for monitoring suspicious activity and system misconfiguration, and provide evidence for Cyber Security Investigations.
V-242467MediumThe Kubernetes PKI keys must have file permissions set to 600 or more restrictive.The Kubernetes PKI directory contains all certificate key files supporting secure network communications in the Kubernetes Control Plane. If these files can be modified, data traversing within the ...
V-242466MediumThe Kubernetes PKI CRT must have file permissions set to 644 or more restrictive.The Kubernetes PKI directory contains all certificates (.crt files) supporting secure network communications in the Kubernetes Control Plane. If these files can be modified, data traversing within ...
V-242377MediumThe Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.The Kubernetes Scheduler will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.The use of unsupported protocol exposes vulnerabilities to the ...
V-242376MediumThe Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.The Kubernetes Controller Manager will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.The use of unsupported protocol exposes vulnerabilities ...
V-242379MediumThe Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.Kubernetes etcd will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.The use of unsupported protocol exposes vulnerabilities to the Kubernetes ...
V-242378MediumThe Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.The Kubernetes API Server will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.The use of unsupported protocol exposes vulnerabilities to the ...
V-242399MediumKubernetes DynamicKubeletConfig must not be enabled.Kubernetes allows a user to configure kubelets with dynamic configurations. When dynamic configuration is used, the kubelet will watch for changes to the configuration file. When changes are made, ...
V-242398MediumKubernetes DynamicAuditing must not be enabled.Protecting the audit data from change or deletion is important when an attack occurs. One way an attacker can cover their tracks is to change or delete audit records. This will either make the ...
V-242393MediumKubernetes Worker Nodes must not have sshd service running.Worker Nodes are maintained and monitored by the Master Node. Direct access and manipulation of the nodes should not take place by administrators. Worker nodes should be treated as immutable and ...
V-242396MediumKubernetes Kubectl cp command must give expected access and results.One of the tools heavily used to interact with containers in the Kubernetes cluster is kubectl. The command is the tool System Administrators used to create, modify, and delete resources. One of ...
V-242395MediumKubernetes dashboard must not be enabled.While the Kubernetes dashboard is not inherently insecure on its own, it is often coupled with a misconfiguration of Role-Based Access control (RBAC) permissions that can unintentionally ...
V-242394MediumKubernetes Worker Nodes must not have the sshd service enabled.Worker Nodes are maintained and monitored by the Master Node. Direct access and manipulation of the nodes must not take place by administrators. Worker nodes must be treated as immutable and ...
V-242418MediumThe Kubernetes API server must use approved cipher suites.The Kubernetes API server communicates to the kubelet service on the nodes to deploy, update, and delete resources. If an attacker were able to get between this communication and modify the ...
V-242419MediumKubernetes API Server must have the SSL Certificate Authority set.Kubernetes control plane and external communication is managed by API Server. The main implementation of the API Server is to manage hardware resources for pods and containers using horizontal or ...
V-242414MediumThe Kubernetes cluster must use non-privileged host ports for user pods.Privileged ports are those ports below 1024 and that require system privileges for their use. If containers can use these ports, the container must be run as a privileged user. Kubernetes must ...
V-242416MediumKubernetes Kubelet must not disable timeouts.Idle connections from the Kubelet can be use by unauthorized users to perform malicious activity to the nodes, pods, containers, and cluster within the Kubernetes Control Plane. Setting the ...
V-242417MediumKubernetes must separate user functionality.Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management ...
V-242410MediumThe Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes API Server PPSs must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction ...
V-242411MediumThe Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes Scheduler PPS must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found ...
V-242412MediumThe Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes Controller ports, protocols, and services must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found ...
V-242413MediumThe Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).Kubernetes etcd PPS must be controlled and conform to the PPSM CAL. Those PPS that fall outside the PPSM CAL must be blocked. Instructions on the PPSM can be found in DoD Instruction 8551.01 Policy.
V-242409MediumKubernetes Controller Manager must disable profiling.Kubernetes profiling provides the ability to analyze and troubleshoot Controller Manager events over a web interface on a host port. Enabling this service can expose details about the Kubernetes ...
V-242408MediumThe Kubernetes manifests must have least privileges.The manifest files contain the runtime configuration of the API server, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open vulnerabilities ...
V-242407MediumThe Kubernetes kubelet configuration file must be owned by root.The kubelet configuration file contains the runtime configuration of the kubelet service. If an attacker can gain access to this file, changes can be made to open vulnerabilities and bypass user ...
V-242406MediumThe Kubernetes kubelet configuration file must be owned by root.The kubelet configuration file contains the runtime configuration of the kubelet service. If an attacker can gain access to this file, changes can be made to open vulnerabilities and bypass user ...
V-242405MediumThe Kubernetes manifests must be owned by root.The manifest files contain the runtime configuration of the API server, proxy, scheduler, controller, and etcd. If an attacker can gain access to these files, changes can be made to open ...
V-242404MediumKubernetes Kubelet must deny hostname override.Kubernetes allows for the overriding of hostnames. Allowing this feature to be implemented within the kubelets may break the TLS setup between the kubelet service and the API server. This setting ...
V-242403MediumKubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.Within Kubernetes, audit data for all components is generated by the API server. This audit data is important when there are issues, to include security incidents that must be investigated. To ...
V-242402MediumThe Kubernetes API Server must have an audit log path set.When Kubernetes is started, components and user services are started for auditing startup events, and events for components and services, it is important that auditing begin on startup. Within ...
V-242401MediumThe Kubernetes API Server must have an audit policy set.When Kubernetes is started, components and user services are started. For auditing startup events, and events for components and services, it is important that auditing begin on startup. Within ...
V-242400MediumThe Kubernetes API server must have Alpha APIs disabled.Kubernetes allows alpha API calls within the API server. The alpha features are disabled by default since they are not ready for production and likely to change without notice. These features may ...
V-242432MediumKubernetes etcd must have peer-cert-file set for secure communication.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control the Kubernetes cluster. Even just reading ...
V-242433MediumKubernetes etcd must have a peer-key-file set for secure communication.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the ...
V-242430MediumKubernetes etcd must have a certificate for communication.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control your Kubernetes cluster. Even just reading ...
V-242431MediumKubernetes etcd must have a key file for secure communication.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the ...
V-242438MediumKubernetes API Server must configure timeouts to limit attack surface.Kubernetes API Server request timeouts sets the duration a request stays open before timing out. Since the API Server is the central component in the Kubernetes Control Plane, it is vital to ...
V-242425MediumKubernetes Kubelet must enable tls-cert-file for client authentication to secure service.Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. ...
V-242424MediumKubernetes Kubelet must enable tls-private-key-file for client authentication to secure service.Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. ...
V-242427MediumKubernetes etcd must have a key file for secure communication.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control the Kubernetes cluster. Even just reading ...
V-242426MediumKubernetes etcd must enable client authentication to secure service.Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. ...
V-242421MediumKubernetes Controller Manager must have the SSL Certificate Authority set.The Kubernetes Controller Manager is responsible for creating service accounts and tokens for the API Server, maintaining the correct number of pods for every replication controller and provides ...
V-242420MediumKubernetes Kubelet must have the SSL Certificate Authority set.Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. ...
V-242423MediumKubernetes etcd must enable client authentication to secure service.Kubernetes container and pod configuration are maintained by Kubelet. Kubelet agents register nodes with the API Server, mount volume storage, and perform health checks for containers and pods. ...
V-242422MediumKubernetes API Server must have a certificate for communication.Kubernetes control plane and external communication is managed by API Server. The main implementation of the API Server is to manage hardware resources for pods and container using horizontal or ...
V-242429MediumKubernetes etcd must have the SSL Certificate Authority set.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the ...
V-242428MediumKubernetes etcd must have a certificate for communication.Kubernetes stores configuration and state information in a distributed key-value store called etcd. Anyone who can write to etcd can effectively control a Kubernetes cluster. Even just reading the ...
V-242450MediumThe Kubernetes Kubelet certificate authority must be owned by root.The Kubernetes kube proxy kubeconfig contain the argument and setting for the Master Nodes. These settings contain network rules for restricting network communication between pods, clusters, and ...
V-242451MediumThe Kubernetes component PKI must be owned by root.The Kubernetes PKI directory contains all certificates (.crt files) supporting secure network communications in the Kubernetes Control Plane. If these files can be modified, data traversing within ...
V-242452MediumThe Kubernetes kubelet config must have file permissions set to 644 or more restrictive.The Kubernetes kubelet agent registers nodes with the API Server, mounts volume storage for pods, and performs health checks to containers within pods. If these files can be modified, the ...
V-242453MediumThe Kubernetes kubelet config must be owned by root.The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If these files can be modified, the information system would be unaware of ...
V-242454MediumThe Kubernetes kubeadm must be owned by root.The Kubernetes kubeeadm.conf contains sensitive information regarding the cluster nodes configuration. If this file can be modified, the Kubernetes Platform Plane would be degraded or compromised ...
V-242455MediumThe Kubernetes kubelet service must have file permissions set to 644 or more restrictive.The Kubernetes kubeadm.conf contains sensitive information regarding the cluster nodes configuration. If this file can be modified, the Kubernetes Platform Plane would be degraded or compromised ...
V-242456MediumThe Kubernetes kubelet config must have file permissions set to 644 or more restrictive.The Kubernetes kubelet agent registers nodes with the API server and performs health checks to containers within pods. If this file can be modified, the information system would be unaware of pod ...
V-242457MediumThe Kubernetes kubelet config must be owned by root.The Kubernetes kubelet agent registers nodes with the API Server and performs health checks to containers within pods. If this file can be modified, the information system would be unaware of pod ...
V-242458MediumThe Kubernetes API Server must have file permissions set to 644 or more restrictive.The Kubernetes manifests are those files that contain the arguments and settings for the Master Node services. These services are etcd, the API Server, controller, proxy, and scheduler. If these ...
V-242459MediumThe Kubernetes etcd must have file permissions set to 644 or more restrictive.The Kubernetes etcd key-value store provides a way to store data to the Master Node. If these files can be changed, data to API object and master node would be compromised.
V-242443MediumKubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs.Kubernetes software must stay up to date with the latest patches, service packs, and hot fixes. Not updating the Kubernetes control plane will expose the organization to vulnerabilities.Flaws ...
V-242442MediumKubernetes must remove old components after updated versions have been installed.Previous versions of Kubernetes components that are not removed after updates have been installed may be exploited by adversaries by allowing the vulnerabilities to still exist within the cluster. ...
V-242441MediumKubernetes endpoints must use approved organizational certificate and key pair to protect information in transit.Kubernetes control plane and external communication is managed by API Server. The main implementation of the API Server is to manage hardware resources for pods and container using horizontal or ...
V-242440MediumKubernetes API Server must disable token authentication to protect information in transit.Kubernetes token authentication uses password known as secrets in a plaintext file. This file contains sensitive information such as token, username and user uid. This token is used by service ...
V-242447MediumThe Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive.The Kubernetes kube proxy kubeconfig contain the argument and setting for the Master Nodes. These settings contain network rules for restricting network communication between pods, clusters, and ...
V-242446MediumThe Kubernetes conf files must be owned by root.The Kubernetes conf files contain the arguments and settings for the Master Node services. These services are controller and scheduler. If these files can be changed, the scheduler will be ...
V-242445MediumThe Kubernetes component etcd must be owned by etcd.The Kubernetes etcd key-value store provides a way to store data to the Master Node. If these files can be changed, data to API object and the master node would be compromised. The scheduler will ...
V-242444MediumThe Kubernetes component manifests must be owned by root.The Kubernetes manifests are those files that contain the arguments and settings for the Master Node services. These services are etcd, the api server, controller, proxy, and scheduler. If these ...
V-242449MediumThe Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive.The Kubernetes kubelet certificate authority file contains settings for the Kubernetes Node TLS certificate authority. Any request presenting a client certificate signed by one of the authorities ...
V-242448MediumThe Kubernetes Kube Proxy must be owned by root.The Kubernetes kube proxy kubeconfig contain the argument and setting for the Master Nodes. These settings contain network rules for restricting network communication between pods, clusters, and ...