3.4.2.1 CIS Benchmark benchmark failure on EKS

[jasujamohit]

Configuration
Bottlerocket: 1.51.0
EKS: v1.32

Setup:

bootstrap-cis.sh

#!/usr/bin/env bash

# Flush iptables rules
iptables -F

# 3.4.1.1 Ensure IPv4 default deny firewall policy (Automated)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow inbound traffic for kubelet (so kubectl logs/exec works)
iptables -I INPUT -p tcp -m tcp --dport 10250 -j ACCEPT

# 3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP

# 3.4.1.3 Ensure IPv4 outbound and established connections are configured (Manual)
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT

# Flush ip6tables rules 
ip6tables -F

# 3.4.2.1 Ensure IPv6 default deny firewall policy (Automated)
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works)
ip6tables -A INPUT -p tcp --destination-port 10250 -j ACCEPT

# 3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP

# 3.4.2.3 Ensure IPv6 outbound and established connections are configured (Manual)
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT

Dockerfile

FROM debian:bookworm-slim  
RUN apt-get -y update && apt-get -y install iptables  
RUN update-alternatives --set iptables /usr/sbin/iptables-legacy  
RUN update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy  
COPY ./bootstrap-cis.sh /  
RUN chmod +x /bootstrap-cis.sh  
ENTRYPOINT ["/bootstrap-cis.sh"]  

userData

[settings.bootstrap-containers]
[settings.bootstrap-containers.cis-script]
mode = 'always'
source = '$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$CIS_IMAGE'

[settings.host-containers]
[settings.host-containers.admin]
enabled = true

[settings.host-containers.control]
enabled = true

[settings.kernel.sysctl]
'net.ipv4.conf.all.accept_redirects' = '0'
'net.ipv4.conf.all.log_martians' = '1'
'net.ipv4.conf.all.secure_redirects' = '0'
'net.ipv4.conf.all.send_redirects' = '0'
'net.ipv4.conf.default.accept_redirects' = '0'
'net.ipv4.conf.default.log_martians' = '1'
'net.ipv4.conf.default.secure_redirects' = '0'
'net.ipv4.conf.default.send_redirects' = '0'
'net.ipv6.conf.all.accept_redirects' = '0'
'net.ipv6.conf.all.forwarding' = '1'
'net.ipv6.conf.default.accept_redirects' = '0'

Expectation:
After creating Dockerfile with bootstrap-cis script from above and 3.4.1.1 fix on IPv6 EKS cluster, I expected apiclient report cis --level 2 to pass all the tests.

Test Result

bash-5.1# apiclient report cis --level 2
Benchmark name:  CIS Bottlerocket Benchmark
Version:         v1.0.0
Reference:       https://www.cisecurity.org/benchmark/bottlerocket
Benchmark level: 2
Start time:      2025-12-08T13:56:14.657994386Z

[PASS] 1.1.1.1   Ensure mounting of udf filesystems is disabled (Automatic)
[SKIP] 1.2.1     Ensure software update repositories are configured (Manual)
[PASS] 1.3.1     Ensure dm-verity is configured (Automatic)
[PASS] 1.4.1     Ensure setuid programs do not create core dumps (Automatic)
[PASS] 1.4.2     Ensure address space layout randomization (ASLR) is enabled (Automatic)
[PASS] 1.4.3     Ensure unprivileged eBPF is disabled (Automatic)
[PASS] 1.4.4     Ensure user namespaces are disabled (Automatic)
[PASS] 1.5.1     Ensure SELinux is configured (Automatic)
[PASS] 1.5.2     Ensure Lockdown is configured (Automatic)
[SKIP] 1.6       Ensure updates, patches, and additional security software are installed (Manual)
[PASS] 2.1.1.1   Ensure chrony is configured (Automatic)
[PASS] 3.1.1     Ensure packet redirect sending is disabled (Automatic)
[PASS] 3.2.1     Ensure source routed packets are not accepted (Automatic)
[PASS] 3.2.2     Ensure ICMP redirects are not accepted (Automatic)
[PASS] 3.2.3     Ensure secure ICMP redirects are not accepted (Automatic)
[PASS] 3.2.4     Ensure suspicious packets are logged (Automatic)
[PASS] 3.2.5     Ensure broadcast ICMP requests are ignored (Automatic)
[PASS] 3.2.6     Ensure bogus ICMP responses are ignored (Automatic)
[PASS] 3.2.7     Ensure TCP SYN Cookies is enabled (Automatic)
[PASS] 3.3.1     Ensure SCTP is disabled (Automatic)
[SKIP] 3.4.1.1   Ensure IPv4 default deny firewall policy (Exception)
[PASS] 3.4.1.2   Ensure IPv4 loopback traffic is configured (Automatic)
[SKIP] 3.4.1.3   Ensure IPv4 outbound and established connections are configured (Manual)
[FAIL] 3.4.2.1   Ensure IPv6 default deny firewall policy (Automatic)
[PASS] 3.4.2.2   Ensure IPv6 loopback traffic is configured (Automatic)
[SKIP] 3.4.2.3   Ensure IPv6 outbound and established connections are configured (Manual)
[PASS] 4.1.1.1   Ensure journald is configured to write logs to persistent disk (Automatic)
[PASS] 4.1.2     Ensure permissions on journal files are configured (Automatic)

Passed:          22
Failed:          1
Skipped:         5
Total checks:    28

Compliance check result: FAIL

Exceptions:
*  3.4.1.1 Test requires iptables FORWARD chain configuration that conflicts with Kubernetes networking architecture. Kubernetes manages its own iptables rules through kube-proxy and CNI plugins.

ip6tables configuration after node boot

bash-5.1# ip6tables --list INPUT -v -n
Chain INPUT (policy ACCEPT 4 packets, 368 bytes)
 pkts bytes target     prot opt in     out     source               destination         
5528K  953M cali-INPUT  all  --  *      *       ::/0                 ::/0                 /* cali:xxxxxxxxxx */
4879K  883M KUBE-FIREWALL  all  --  *      *       ::/0                 ::/0                
 273K   22M KUBE-PROXY-FIREWALL  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
4879K  883M KUBE-NODEPORTS  all  --  *      *       ::/0                 ::/0                 /* kubernetes health check service ports */
 273K   22M KUBE-EXTERNAL-SERVICES  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes externally-visible service portals */
1222K  129M ACCEPT     tcp  --  *      *       ::/0                 ::/0                 tcp dpt:10250
2324K  310M ACCEPT     all  --  lo     *       ::/0                 ::/0                
    0     0 DROP       all  --  *      *       ::1                  ::/0                
1278K  440M ACCEPT     tcp  --  *      *       ::/0                 ::/0                 state ESTABLISHED
   40  9232 ACCEPT     udp  --  *      *       ::/0                 ::/0                 state ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       ::/0                 ::/0                 state ESTABLISHED
bash-5.1# ip6tables --list OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
5621K 4790M cali-OUTPUT  all  --  *      *       ::/0                 ::/0                 /* cali:xxxxxxxxxxxx */
5622K 4790M KUBE-FIREWALL  all  --  *      *       ::/0                 ::/0                
 378K   30M KUBE-PROXY-FIREWALL  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
 378K   30M KUBE-SERVICES  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes service portals */
2324K  310M ACCEPT     all  --  *      lo      ::/0                 ::/0                
3288K 4479M ACCEPT     tcp  --  *      *       ::/0                 ::/0                 state NEW,ESTABLISHED
 3825  557K ACCEPT     udp  --  *      *       ::/0                 ::/0                 state NEW,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       ::/0                 ::/0                 state NEW,ESTABLISHED
bash-5.1# ip6tables --list FORWARD -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1417K 1390M cali-FORWARD  all  --  *      *       ::/0                 ::/0                 /* cali:xxxxxxxxxxxxx */
 275K   33M KUBE-PROXY-FIREWALL  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes load balancer firewall */
 275K   33M KUBE-FORWARD  all  --  *      *       ::/0                 ::/0                 /* kubernetes forwarding rules */
 275K   33M KUBE-SERVICES  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes service portals */
 275K   33M KUBE-EXTERNAL-SERVICES  all  --  *      *       ::/0                 ::/0                 ctstate NEW /* kubernetes externally-visible service portals */
 275K   33M ACCEPT     all  --  *      *       ::/0                 ::/0                 /* cali:xxxxxxxxxxx */ /* Policy explicitly accepted packet. */ mark match 0x10000/0x10000
  104  8320 MARK       all  --  *      *       ::/0                 ::/0                 /* cali:xxxxxxxxxx */ MARK or 0x10000

ip6tables version

ip6tables --version
ip6tables v1.8.11 (legacy)

[ginglis13]

Hey @jasujamohit , I've attempted a minimal repro using the exact same bootstrap container and user data as you've provided with one difference - I set settings.kubernetes.standalone-mode=true. Here are my results:

Test results

[ssm-user@control]$ apiclient get os
{
  "os": {
    "arch": "x86_64",
    "build_id": "47438798",
    "pretty_name": "Bottlerocket OS 1.51.0 (aws-k8s-1.32)",
    "variant_id": "aws-k8s-1.32",
    "version_id": "1.51.0"
  }
}
[ssm-user@control]$ apiclient report cis --level 2
Benchmark name:  CIS Bottlerocket Benchmark
Version:         v1.0.0
Reference:       https://www.cisecurity.org/benchmark/bottlerocket
Benchmark level: 2
Start time:      2025-12-10T23:56:47.895557125Z

[FAIL] 1.1.1.1   Ensure mounting of udf filesystems is disabled (Automatic)
[SKIP] 1.2.1     Ensure software update repositories are configured (Manual)
[PASS] 1.3.1     Ensure dm-verity is configured (Automatic)
[PASS] 1.4.1     Ensure setuid programs do not create core dumps (Automatic)
[PASS] 1.4.2     Ensure address space layout randomization (ASLR) is enabled (Automatic)
[PASS] 1.4.3     Ensure unprivileged eBPF is disabled (Automatic)
[PASS] 1.4.4     Ensure user namespaces are disabled (Automatic)
[PASS] 1.5.1     Ensure SELinux is configured (Automatic)
[PASS] 1.5.2     Ensure Lockdown is configured (Automatic)
[SKIP] 1.6       Ensure updates, patches, and additional security software are installed (Manual)
[PASS] 2.1.1.1   Ensure chrony is configured (Automatic)
[PASS] 3.1.1     Ensure packet redirect sending is disabled (Automatic)
[PASS] 3.2.1     Ensure source routed packets are not accepted (Automatic)
[PASS] 3.2.2     Ensure ICMP redirects are not accepted (Automatic)
[PASS] 3.2.3     Ensure secure ICMP redirects are not accepted (Automatic)
[PASS] 3.2.4     Ensure suspicious packets are logged (Automatic)
[PASS] 3.2.5     Ensure broadcast ICMP requests are ignored (Automatic)
[PASS] 3.2.6     Ensure bogus ICMP responses are ignored (Automatic)
[PASS] 3.2.7     Ensure TCP SYN Cookies is enabled (Automatic)
[FAIL] 3.3.1     Ensure SCTP is disabled (Automatic)
[SKIP] 3.4.1.1   Ensure IPv4 default deny firewall policy (Exception)
[PASS] 3.4.1.2   Ensure IPv4 loopback traffic is configured (Automatic)
[SKIP] 3.4.1.3   Ensure IPv4 outbound and established connections are configured (Manual)
[PASS] 3.4.2.1   Ensure IPv6 default deny firewall policy (Automatic)
[PASS] 3.4.2.2   Ensure IPv6 loopback traffic is configured (Automatic)
[SKIP] 3.4.2.3   Ensure IPv6 outbound and established connections are configured (Manual)
[PASS] 4.1.1.1   Ensure journald is configured to write logs to persistent disk (Automatic)
[PASS] 4.1.2     Ensure permissions on journal files are configured (Automatic)

Passed:          21
Failed:          2
Skipped:         5
Total checks:    28

Compliance check result: FAIL

Exceptions:
*  3.4.1.1 Test requires iptables FORWARD chain configuration that conflicts with Kubernetes networking architecture. Kubernetes manages its own iptables rules through kube-proxy and CNI plugins.

Which is reporting

[PASS] 3.4.2.1   Ensure IPv6 default deny firewall policy (Automatic)

Since I ran in standalone mode, I suspect perhaps there might something in the networking stack that's overriding the ip6tables policy set in the bootstrap container.

Could you share some more details about your cluster networking configuration? From the ip6tables output you shared, it appears you might be using Calico (unsure what version).

[ginglis13]

@jasujamohit I got a cluster up with Calico configured and I'm still able to pass 3.4.2.1 (using your bootstrap script/container, same userdata, same Bottlerocket/k8s versions) - if you could share some more details about your specific networking configuration, we could get to the bottom of this, but from my reproduction I'm seeing the default deny firewall check for ipv6 working as intended.