kube-bench/cfg/tkgi-1.2.53/etcd.yaml

---
controls:
version: "tkgi-1.2.53"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
  - id: 2
    text: "Etcd Node Configuration Files"
    checks:
      - id: 2.1
        text: "Ensure that the --cert-file and --key-file arguments are set as appropriate"
        audit: ps -ef | grep etcd | grep -- "--cert-file=/var/vcap/jobs/etcd/config/etcd.crt" | grep -- "--key-file=/var/vcap/jobs/etcd/config/etcd.key"
        type: manual
        tests:
          bin_op: and
          test_items:
            - flag: "--cert-file"
            - flag: "--key-file"
        remediation: |
          Follow the etcd service documentation and configure TLS encryption.
          Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
          on the master node and set the below parameters.
          --cert-file=</path/to/ca-file>
          --key-file=</path/to/key-file>
        scored: false

      - id: 2.2
        text: "Ensure that the --client-cert-auth argument is set to true"
        audit: ps -ef | grep etcd | grep -- "--client\-cert\-auth"
        tests:
          test_items:
            - flag: "--client-cert-auth"
              compare:
                op: eq
                value: true
        remediation: |
          Edit the etcd pod specification file etcd config on the master
          node and set the below parameter.
          --client-cert-auth="true"
        scored: true

      - id: 2.3
        text: "Ensure that the --auto-tls argument is not set to true"
        audit: ps -ef | grep etcd | grep -v -- "--auto-tls"
        tests:
          test_items:
            - flag: "--auto-tls"
              compare:
                op: eq
                value: true
              set: false
        remediation: |
          Edit the etcd pod specification file etcd config on the master
          node and either remove the --auto-tls parameter or set it to false.
            --auto-tls=false
        scored: true

      - id: 2.4
        text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate"
        audit: ps -ef | grep etcd | grep -- "--peer-cert-file=/var/vcap/jobs/etcd/config/peer.crt" | grep -- "--peer-key-file=/var/vcap/jobs/etcd/config/peer.key"
        type: manual
        tests:
          bin_op: and
          test_items:
            - flag: "--peer-cert-file"
            - flag: "--peer-key-file"
        remediation: |
          Follow the etcd service documentation and configure peer TLS encryption as appropriate
          for your etcd cluster.
          Then, edit the etcd pod specification file etcd config on the
          master node and set the below parameters.
          --peer-client-file=</path/to/peer-cert-file>
          --peer-key-file=</path/to/peer-key-file>
        scored: false

      - id: 2.5
        text: "Ensure that the --peer-client-cert-auth argument is set to true"
        audit: ps -ef | grep etcd | grep -- "--peer\-client\-cert\-auth"
        tests:
          test_items:
            - flag: "--peer-client-cert-auth"
              compare:
                op: eq
                value: true
        remediation: |
          Edit the etcd pod specification file etcd config on the master
          node and set the below parameter.
          --peer-client-cert-auth=true
        scored: true

      - id: 2.6
        text: "Ensure that the --peer-auto-tls argument is not set to true"
        audit: ps -ef | grep etcd | grep -v -- "--peer-auto-tls"
        tests:
          test_items:
            - flag: "--peer-auto-tls"
              compare:
                op: eq
                value: true
              set: false
        remediation: |
          Edit the etcd pod specification file etcd config on the master
          node and either remove the --peer-auto-tls parameter or set it to false.
          --peer-auto-tls=false
        scored: true

      - id: 2.7
        text: "Ensure that a unique Certificate Authority is used for etcd"
        audit: diff /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem /var/vcap/jobs/etcd/config/etcd-ca.crt | grep -c"^>" | grep -v "^0$"
        type: manual
        tests:
          test_items:
            - flag: "--trusted-ca-file"
        remediation: |
          Follow the etcd documentation and create a dedicated certificate authority setup for the
          etcd service.
          Then, edit the etcd pod specification file etcd config on the
          master node and set the below parameter.
          --trusted-ca-file=</path/to/ca-file>
        scored: false
add support VMware Tanzu(TKGI) Benchmarks v1.2.53 (#1452) * add Support VMware Tanzu(TKGI) Benchmarks v1.2.53 with this change, we are adding 1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53 2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks. 3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397 * add Support VMware Tanzu(TKGI) Benchmarks v1.2.53 with this change, we are adding 1. latest kubernetes cis benchmarks for VMware Tanzu1.2.53 2. logic to kube-bench so that kube-bench can auto detect vmware platform, will be able to execute the respective vmware tkgi compliance checks. 3. job-tkgi.yaml file to run the benchmark as a job in tkgi cluster Reference Document for checks: https://network.pivotal.io/products/p-compliance-scanner/#/releases/1248397 2023-06-01 13:37:50 +00:00			`---`
			`controls:`
			`version: "tkgi-1.2.53"`
			`id: 2`
			`text: "Etcd Node Configuration"`
			`type: "etcd"`
			`groups:`
			`- id: 2`
			`text: "Etcd Node Configuration Files"`
			`checks:`
			`- id: 2.1`
			`text: "Ensure that the --cert-file and --key-file arguments are set as appropriate"`
			`audit: ps -ef \| grep etcd \| grep -- "--cert-file=/var/vcap/jobs/etcd/config/etcd.crt" \| grep -- "--key-file=/var/vcap/jobs/etcd/config/etcd.key"`
			`type: manual`
			`tests:`
			`bin_op: and`
			`test_items:`
			`- flag: "--cert-file"`
			`- flag: "--key-file"`
			`remediation: \|`
			`Follow the etcd service documentation and configure TLS encryption.`
			`Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml`
			`on the master node and set the below parameters.`
			`--cert-file=</path/to/ca-file>`
			`--key-file=</path/to/key-file>`
			`scored: false`

			`- id: 2.2`
			`text: "Ensure that the --client-cert-auth argument is set to true"`
			`audit: ps -ef \| grep etcd \| grep -- "--client\-cert\-auth"`
			`tests:`
			`test_items:`
			`- flag: "--client-cert-auth"`
			`compare:`
			`op: eq`
			`value: true`
			`remediation: \|`
			`Edit the etcd pod specification file etcd config on the master`
			`node and set the below parameter.`
			`--client-cert-auth="true"`
			`scored: true`

			`- id: 2.3`
			`text: "Ensure that the --auto-tls argument is not set to true"`
			`audit: ps -ef \| grep etcd \| grep -v -- "--auto-tls"`
			`tests:`
			`test_items:`
			`- flag: "--auto-tls"`
			`compare:`
			`op: eq`
			`value: true`
			`set: false`
			`remediation: \|`
			`Edit the etcd pod specification file etcd config on the master`
			`node and either remove the --auto-tls parameter or set it to false.`
			`--auto-tls=false`
			`scored: true`

			`- id: 2.4`
			`text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate"`
			`audit: ps -ef \| grep etcd \| grep -- "--peer-cert-file=/var/vcap/jobs/etcd/config/peer.crt" \| grep -- "--peer-key-file=/var/vcap/jobs/etcd/config/peer.key"`
			`type: manual`
			`tests:`
			`bin_op: and`
			`test_items:`
			`- flag: "--peer-cert-file"`
			`- flag: "--peer-key-file"`
			`remediation: \|`
			`Follow the etcd service documentation and configure peer TLS encryption as appropriate`
			`for your etcd cluster.`
			`Then, edit the etcd pod specification file etcd config on the`
			`master node and set the below parameters.`
			`--peer-client-file=</path/to/peer-cert-file>`
			`--peer-key-file=</path/to/peer-key-file>`
			`scored: false`

			`- id: 2.5`
			`text: "Ensure that the --peer-client-cert-auth argument is set to true"`
			`audit: ps -ef \| grep etcd \| grep -- "--peer\-client\-cert\-auth"`
			`tests:`
			`test_items:`
			`- flag: "--peer-client-cert-auth"`
			`compare:`
			`op: eq`
			`value: true`
			`remediation: \|`
			`Edit the etcd pod specification file etcd config on the master`
			`node and set the below parameter.`
			`--peer-client-cert-auth=true`
			`scored: true`

			`- id: 2.6`
			`text: "Ensure that the --peer-auto-tls argument is not set to true"`
			`audit: ps -ef \| grep etcd \| grep -v -- "--peer-auto-tls"`
			`tests:`
			`test_items:`
			`- flag: "--peer-auto-tls"`
			`compare:`
			`op: eq`
			`value: true`
			`set: false`
			`remediation: \|`
			`Edit the etcd pod specification file etcd config on the master`
			`node and either remove the --peer-auto-tls parameter or set it to false.`
			`--peer-auto-tls=false`
			`scored: true`

			`- id: 2.7`
			`text: "Ensure that a unique Certificate Authority is used for etcd"`
			`audit: diff /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem /var/vcap/jobs/etcd/config/etcd-ca.crt \| grep -c"^>" \| grep -v "^0$"`
			`type: manual`
			`tests:`
			`test_items:`
			`- flag: "--trusted-ca-file"`
			`remediation: \|`
			`Follow the etcd documentation and create a dedicated certificate authority setup for the`
			`etcd service.`
			`Then, edit the etcd pod specification file etcd config on the`
			`master node and set the below parameter.`
			`--trusted-ca-file=</path/to/ca-file>`
			`scored: false`