This document describes the level of compliance that GKE on VMware has with the CIS Ubuntu Benchmark.
Versions
This document refers to these versions:
| Anthos version | Ubuntu version | CIS Ubuntu Benchmark version | CIS level |
|---|---|---|---|
| 1.28 | 22.04 LTS | v1.0.0 | Level 2 Server |
Access the benchmark
The CIS Ubuntu Benchmark is available on the CIS website.
Configuration profile
In the CIS Ubuntu Benchmark document, you can read about configuration profiles. The Ubuntu images used by GKE on VMware are hardened to meet the Level 2 - Server profile.
Evaluation on GKE on VMware
We use the following values to specify the status of Ubuntu recommendations in GKE on VMware.
| Status | Description |
|---|---|
| Pass | Complies with a benchmark recommendation. |
| Fail | Does not comply with a benchmark recommendation. |
| Equivalent control | Does not comply with the exact terms in a benchmark recommendation, but other mechanisms in GKE on VMware provide equivalent security controls. |
| Depends on environment | GKE on VMware does not configure items related to a benchmark recommendation. Your configuration determines whether your environment complies with the recommendation. |
Status of GKE on VMware
The Ubuntu images used with GKE on VMware are hardened to meet the CIS Level 2 - Server profile. The following table gives justifications for why GKE on VMware components did not pass certain recommendations.
| # | Recommendation | Status | Justification | Affected Components |
|---|---|---|---|---|
| 1.1.2.1 | Ensure /tmp Located On Separate Partition | Fail | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
| 1.1.3.1 | Ensure /var Located On Separate Partition | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
| 1.1.4.1 | Ensure /var/tmp Located On Separate Partition | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
| 1.1.5.1 | Ensure /var/log Located On Separate Partition | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
| 1.1.6.1 | Ensure /var/log/audit Located On Separate Partition | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
| 1.1.7.1 | Ensure /home Located On Separate Partition | Won't fix | Canonical has no plan to modify the cloud image partitions at this time. | All cluster nodes, Admin workstation, Seesaw |
| 1.4.1 | Set Boot Loader Password in grub2 | Depends on Environment | No root password is set on Ubuntu cloud images. | All cluster nodes, Admin workstation, Seesaw |
| 1.4.3 | Ensure Authentication Required for Single User Mode | Depends on Environment | No root password is set on Ubuntu cloud images. | All cluster nodes, Admin workstation, Seesaw |
| 2.3.6 | Uninstall rpcbind Package | Failed | rpcbind is installed on the Canonical cloud image, though it's not enabled by default. The rule is failing because it requires it to be not installed | All cluster nodes Admin workstation, Seesaw |
| 3.3.7 | Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces | Depends on Environment | Asynchronous routing and reverse path origination is a requirement for delivering cluster load balancing. | Non-admin-master nodes Seesaw |
| 3.5.2.6 | Set nftables configuration for loopback traffic | Won't fix | Anthos Network got affected by this rule. | All cluster nodes, Admin workstation, Seesaw |
| 3.5.2.8 | Ensure nftables default deny firewall policy | Depends on Environment | It is recommended that GKE on VMware be deployed on a private network with appropriate firewall protections. The required firewall rules can be found here. | All cluster nodes, Admin workstation, Seesaw |
| 4.2.3 | Verify permissions of log files | Fail | This specific test is overly restrictive and unrealistic as many services may require a group to write log files. This item may be removed in a future benchmark. | All cluster nodes, Admin workstation, Seesaw |
| 5.2.18 | Limit Users' SSH Access | Depends on Environment | This is not configured by default. | All cluster nodes, Admin workstation, Seesaw |
| 5.3.4 | Ensure Users Re-Authenticate for Privilege Escalation - sudo | Depends on Environment | This is not configured by default. | All cluster nodes, Admin workstation, Seesaw |
| 5.5.1.2 | Set Password Maximum Age | Equivalent control | VMs for GKE on VMware rely on ssh key for user login, instead of using password | All cluster nodes |
| 6.1.10 | Ensure All Files Are Owned by a User | Fail | Permissions have been left as default. | All cluster nodes |