|
|
|
@ -10,7 +10,7 @@ groups:
|
|
|
|
|
checks:
|
|
|
|
|
- id: 2.1
|
|
|
|
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.1"
|
|
|
|
|
audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: and
|
|
|
|
|
test_items:
|
|
|
|
@ -30,7 +30,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.2
|
|
|
|
|
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.2"
|
|
|
|
|
audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: or
|
|
|
|
|
test_items:
|
|
|
|
@ -50,7 +50,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.3
|
|
|
|
|
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.3"
|
|
|
|
|
audit: "grep 'auto-tls' $etcdconf | true"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: or
|
|
|
|
|
test_items:
|
|
|
|
@ -70,7 +70,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.4
|
|
|
|
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.4"
|
|
|
|
|
audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: and
|
|
|
|
|
test_items:
|
|
|
|
@ -91,7 +91,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.5
|
|
|
|
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.5"
|
|
|
|
|
audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: or
|
|
|
|
|
test_items:
|
|
|
|
@ -111,7 +111,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.6
|
|
|
|
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.6"
|
|
|
|
|
audit: "grep 'peer-auto-tls' $etcdconf | true"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: or
|
|
|
|
|
test_items:
|
|
|
|
@ -132,7 +132,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.7
|
|
|
|
|
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
|
|
|
|
|
audit: "check_for_k3s_etcd.sh 2.7"
|
|
|
|
|
audit: "grep 'trusted-ca-file' $etcdconf"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "trusted-ca-file"
|
|
|
|
|