docs: add docs on kspp and cis hardening#480
Open
Iheanacho-ai wants to merge 1 commit intosiderolabs:mainfrom
Open
docs: add docs on kspp and cis hardening#480Iheanacho-ai wants to merge 1 commit intosiderolabs:mainfrom
Iheanacho-ai wants to merge 1 commit intosiderolabs:mainfrom
Conversation
Signed-off-by: Amarachi Iheanacho <amarachi.iheanacho@siderolabs.com>
rothgar
reviewed
Apr 8, 2026
public/talos/v1.12/security/talos-default-hardening-and-cis-compliance.mdx
Show resolved
Hide resolved
rothgar
reviewed
Apr 8, 2026
| To verify the active kernel command line on a node: | ||
|
|
||
| ```bash | ||
| talosctl read /proc/cmdline --nodes <node-ip> |
Member
There was a problem hiding this comment.
This won't work in Omni but I think there's an omnictl command to get the kernel args
rothgar
reviewed
Apr 8, 2026
| Talos follows the recommendations of the Kernel Self-Protection Project (KSPP), a Linux kernel initiative that eliminates entire classes of vulnerabilities through kernel configuration and runtime settings. | ||
|
|
||
| Kernel hardening in Talos operates at three levels: | ||
|
|
Member
There was a problem hiding this comment.
you're missing a step for build time security. There is hardening we do in the kernel config that can't be changed after the kernel has been built and adds security. Things like not allowing kernel modules to be loaded by userspace processes.
rothgar
reviewed
Apr 8, 2026
|
|
||
| - **Kernel module signature verification (`module.sig_enforce=1`)**: This control allows only cryptographically signed modules to be loaded into the kernel. It ensures that anything entering the kernel can be traced back to a trusted source, preventing tampering via unsigned drivers, a common persistence technique in compromised systems. | ||
|
|
||
| - **Process memory write restriction (`proc_mem.force_override=never`)**: Building on that same principle of limiting what can influence running code, this control prevents any process from writing to /proc/PID/mem of another process. Without it, a compromised process could modify another process's memory directly, a technique commonly used in process injection attacks. |
rothgar
reviewed
Apr 8, 2026
|
|
||
| Every check in section 1.1 will fail on Talos. This section is entirely concerned with file permissions and ownership of control plane configuration files, things like pod specification files and PKI certificates. kube-bench expects to find these at paths like `/etc/kubernetes/manifests/` and `/etc/kubernetes/pki/`, which is where kubeadm-based clusters store them. | ||
|
|
||
| Talos does not use static pod manifests to run control plane components. Instead, Talos uses `machined`, its init system, specially designed to run Kubernetes, to manage system-level services including `etcd`, `kubelet`, and the container runtime. Talos services run under the `system` namespace in containerd, separate from Kubernetes workloads. PKI is managed by `trustd`, Talos's dedicated trust daemon, which handles certificate distribution across the cluster. This means the manifest files and PKI paths kube-bench looks for simply do not exist, not because the controls are missing, but because Talos's architecture does not require them. |
Member
There was a problem hiding this comment.
Talos actually does use static pod manifests for control plane components (scheduler, controller-manager, etc). Only etcd and kubelet are started by machined
rothgar
reviewed
Apr 8, 2026
|
|
||
| Many organizations need to run CIS benchmarks on a regular cadence and produce audit reports. Because the **section 1.1** and several **section 1.2** failures on Talos are architectural false positives rather than real security gaps, including them in a report creates noise and requires manual explanation each time. | ||
|
|
||
| kube-bench supports a `--skip` flag that lets you exclude specific checks by ID, so the report contains only results that are meaningful for Talos clusters. |
Member
There was a problem hiding this comment.
can we provide an example command with --skip flag so people can run and get an all PASS output?
rothgar
reviewed
Apr 8, 2026
|
|
||
| ## OS-level hardening | ||
|
|
||
| Talos's architecture eliminates entire categories of OS-level risk that traditional Linux hardening guides address: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #468 and #84