2021-04-29 14:08:41 +00:00
|
|
|
---
|
|
|
|
controls:
|
|
|
|
version: rh-1.0
|
|
|
|
id: 2
|
|
|
|
text: "Etcd Node Configuration"
|
|
|
|
type: "etcd"
|
|
|
|
groups:
|
|
|
|
- id: 2
|
|
|
|
text: "Etcd Node Configuration Files"
|
|
|
|
checks:
|
|
|
|
- id: 2.1
|
|
|
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/'
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/'
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "file"
|
|
|
|
compare:
|
|
|
|
op: regex
|
|
|
|
value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-serving\/etcd-serving-.*\.(?:crt|key)'
|
|
|
|
remediation: |
|
|
|
|
OpenShift does not use the etcd-certfile or etcd-keyfile flags.
|
|
|
|
Certificates for etcd are managed by the etcd cluster operator.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 2.2
|
|
|
|
text: "Ensure that the --client-cert-auth argument is set to true (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/'
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--client-cert-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
remediation: |
|
|
|
|
This setting is managed by the cluster etcd operator. No remediation required."
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 2.3
|
|
|
|
text: "Ensure that the --auto-tls argument is not set to true (Manual)"
|
|
|
|
audit: |
|
|
|
|
# Returns 0 if found, 1 if not found
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | grep -- --auto-tls=true 2>/dev/null ; echo exit_code=$?
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "exit_code"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "1"
|
|
|
|
remediation: |
|
2024-01-23 06:56:40 +00:00
|
|
|
This setting is managed by the cluster etcd operator. No remediation required.
|
2021-04-29 14:08:41 +00:00
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 2.4
|
|
|
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/'
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/'
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "file"
|
|
|
|
compare:
|
|
|
|
op: regex
|
|
|
|
value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-peer\/etcd-peer-.*\.(?:crt|key)'
|
|
|
|
remediation: |
|
|
|
|
None. This configuration is managed by the etcd operator.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 2.5
|
|
|
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/'
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--peer-client-cert-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
remediation: |
|
|
|
|
This setting is managed by the cluster etcd operator. No remediation required.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 2.6
|
|
|
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Manual)"
|
|
|
|
audit: |
|
|
|
|
# Returns 0 if found, 1 if not found
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>/dev/null ; echo exit_code=$?
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "exit_code"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "1"
|
|
|
|
remediation: |
|
|
|
|
This setting is managed by the cluster etcd operator. No remediation required.
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
- id: 2.7
|
|
|
|
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
|
|
|
|
audit: |
|
2024-04-18 06:01:17 +00:00
|
|
|
# Get the node name where the pod is running
|
|
|
|
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
|
|
|
|
# Get the pod name in the openshift-etcd namespace
|
|
|
|
POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
|
|
|
|
if [ -z "$POD_NAME" ]; then
|
|
|
|
echo "No matching file found on the current node."
|
|
|
|
else
|
|
|
|
# Execute the stat command
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/'
|
|
|
|
oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/'
|
|
|
|
fi
|
2021-04-29 14:08:41 +00:00
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "file"
|
|
|
|
compare:
|
|
|
|
op: regex
|
|
|
|
value: '\/etc\/kubernetes\/static-pod-certs\/configmaps\/etcd-(?:serving|peer-client)-ca\/ca-bundle\.(?:crt|key)'
|
|
|
|
remediation: |
|
|
|
|
None required. Certificates for etcd are managed by the OpenShift cluster etcd operator.
|
|
|
|
scored: false
|