From 73f2387e30d446d303205177e0b6b57503af407c Mon Sep 17 00:00:00 2001 From: Kiran Bodipi Date: Fri, 3 Nov 2023 15:30:52 +0530 Subject: [PATCH] RKE/RKE2 CIS Benchmarks Updated the order of checks for RKE and RKE2 Platforms. --- cfg/rke-cis-1.23/etcd.yaml | 83 ---------------------------------- cfg/rke-cis-1.23/master.yaml | 79 ++++++++++++++++++++++++++++++++ cfg/rke-cis-1.24/etcd.yaml | 83 ---------------------------------- cfg/rke-cis-1.24/master.yaml | 79 ++++++++++++++++++++++++++++++++ cfg/rke-cis-1.7/etcd.yaml | 85 ----------------------------------- cfg/rke-cis-1.7/master.yaml | 81 +++++++++++++++++++++++++++++++++ cfg/rke2-cis-1.23/etcd.yaml | 66 --------------------------- cfg/rke2-cis-1.23/master.yaml | 63 ++++++++++++++++++++++++++ cfg/rke2-cis-1.24/etcd.yaml | 66 --------------------------- cfg/rke2-cis-1.24/master.yaml | 63 ++++++++++++++++++++++++++ cfg/rke2-cis-1.7/etcd.yaml | 66 --------------------------- cfg/rke2-cis-1.7/master.yaml | 63 ++++++++++++++++++++++++++ 12 files changed, 428 insertions(+), 449 deletions(-) diff --git a/cfg/rke-cis-1.23/etcd.yaml b/cfg/rke-cis-1.23/etcd.yaml index 0636570..f0325e0 100644 --- a/cfg/rke-cis-1.23/etcd.yaml +++ b/cfg/rke-cis-1.23/etcd.yaml @@ -5,89 +5,6 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Control Plane Node Configuration Files" - checks: - - id: 1.1.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: stat -c %a /node/var/lib/etcd - tests: - test_items: - - flag: "700" - compare: - op: eq - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.1.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - type: "skip" - audit: "stat -c %U:%G /node/var/lib/etcd" - tests: - test_items: - - flag: "etcd:etcd" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). - For example, chown etcd:etcd /var/lib/etcd - scored: true - - - id: 1.1.19 - text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" - audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" - tests: - test_items: - - flag: "true" - compare: - op: eq - value: "true" - set: true - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown -R root:root /etc/kubernetes/pki/ - scored: true - - - id: 1.1.20 - text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" - audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "644" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chmod -R 644 /etc/kubernetes/pki/*.crt - scored: false - - - id: 1.1.21 - text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" - audit: "find /etc/kubernetes/pki/ -name '*.key' | xargs stat -c permissions=%a" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "600" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chmod -R 600 /etc/kubernetes/pki/*.key - scored: false - - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke-cis-1.23/master.yaml b/cfg/rke-cis-1.23/master.yaml index f4d1b93..bc23382 100644 --- a/cfg/rke-cis-1.23/master.yaml +++ b/cfg/rke-cis-1.23/master.yaml @@ -150,6 +150,38 @@ groups: chown root:root scored: false + - id: 1.1.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" + audit: stat -c %a /node/var/lib/etcd + tests: + test_items: + - flag: "700" + compare: + op: eq + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 1.1.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" + type: "skip" + audit: "stat -c %U:%G /node/var/lib/etcd" + tests: + test_items: + - flag: "etcd:etcd" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). + For example, chown etcd:etcd /var/lib/etcd + scored: true + - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" type: "skip" @@ -229,6 +261,53 @@ groups: All configuration is passed in as arguments at container run time. scored: true + - id: 1.1.19 + text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" + audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" + tests: + test_items: + - flag: "true" + compare: + op: eq + value: "true" + set: true + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chown -R root:root /etc/kubernetes/pki/ + scored: true + + - id: 1.1.20 + text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" + audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chmod -R 644 /etc/kubernetes/pki/*.crt + scored: false + + - id: 1.1.21 + text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" + audit: "find /etc/kubernetes/pki/ -name '*.key' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chmod -R 600 /etc/kubernetes/pki/*.key + scored: false - id: 1.2 text: "API Server" diff --git a/cfg/rke-cis-1.24/etcd.yaml b/cfg/rke-cis-1.24/etcd.yaml index 81e9907..835e43c 100644 --- a/cfg/rke-cis-1.24/etcd.yaml +++ b/cfg/rke-cis-1.24/etcd.yaml @@ -5,89 +5,6 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Control Plane Node Configuration Files" - checks: - - id: 1.1.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: stat -c %a /node/var/lib/etcd - tests: - test_items: - - flag: "700" - compare: - op: eq - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.1.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - type: "skip" - audit: "stat -c %U:%G /node/var/lib/etcd" - tests: - test_items: - - flag: "etcd:etcd" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). - For example, chown etcd:etcd /var/lib/etcd - scored: true - - - id: 1.1.19 - text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" - audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" - tests: - test_items: - - flag: "true" - compare: - op: eq - value: "true" - set: true - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown -R root:root /etc/kubernetes/pki/ - scored: true - - - id: 1.1.20 - text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" - audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "600" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + - scored: false - - - id: 1.1.21 - text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" - audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "600" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + - scored: false - - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml index 486c17d..394cff4 100644 --- a/cfg/rke-cis-1.24/master.yaml +++ b/cfg/rke-cis-1.24/master.yaml @@ -152,6 +152,38 @@ groups: chown root:root scored: false + - id: 1.1.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" + audit: stat -c %a /node/var/lib/etcd + tests: + test_items: + - flag: "700" + compare: + op: eq + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 1.1.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" + type: "skip" + audit: "stat -c %U:%G /node/var/lib/etcd" + tests: + test_items: + - flag: "etcd:etcd" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). + For example, chown etcd:etcd /var/lib/etcd + scored: true + - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" type: "skip" @@ -237,6 +269,53 @@ groups: chown root:root $controllermanagerkubeconfig scored: true + - id: 1.1.19 + text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" + audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" + tests: + test_items: + - flag: "true" + compare: + op: eq + value: "true" + set: true + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chown -R root:root /etc/kubernetes/pki/ + scored: true + + - id: 1.1.20 + text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" + audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + + scored: false + + - id: 1.1.21 + text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" + audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + + scored: false - id: 1.2 text: "API Server" diff --git a/cfg/rke-cis-1.7/etcd.yaml b/cfg/rke-cis-1.7/etcd.yaml index 6689e0f..636ca90 100644 --- a/cfg/rke-cis-1.7/etcd.yaml +++ b/cfg/rke-cis-1.7/etcd.yaml @@ -5,91 +5,6 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Control Plane Node Configuration Files" - checks: - - id: 1.1.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: stat -c %a /node/var/lib/etcd - tests: - test_items: - - flag: "700" - compare: - op: eq - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.1.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - type: "skip" - audit: "stat -c %U:%G /node/var/lib/etcd" - tests: - test_items: - - flag: "etcd:etcd" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). - For example, chown etcd:etcd /var/lib/etcd - Permissive - A system service account is required for etcd data directory ownership. - Refer to Rancher's hardening guide for more details on how to configure this ownership. - scored: true - - - id: 1.1.19 - text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" - audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" - tests: - test_items: - - flag: "true" - compare: - op: eq - value: "true" - set: true - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown -R root:root /etc/kubernetes/pki/ - scored: true - - - id: 1.1.20 - text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" - audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "600" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + - scored: false - - - id: 1.1.21 - text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" - audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "600" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + - scored: false - - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke-cis-1.7/master.yaml b/cfg/rke-cis-1.7/master.yaml index 22f36db..2fceed3 100644 --- a/cfg/rke-cis-1.7/master.yaml +++ b/cfg/rke-cis-1.7/master.yaml @@ -169,6 +169,40 @@ groups: chown root:root scored: false + - id: 1.1.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" + audit: stat -c %a /node/var/lib/etcd + tests: + test_items: + - flag: "700" + compare: + op: eq + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 1.1.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" + type: "skip" + audit: "stat -c %U:%G /node/var/lib/etcd" + tests: + test_items: + - flag: "etcd:etcd" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). + For example, chown etcd:etcd /var/lib/etcd + Permissive - A system service account is required for etcd data directory ownership. + Refer to Rancher's hardening guide for more details on how to configure this ownership. + scored: true + - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" type: "skip" @@ -264,6 +298,53 @@ groups: All configuration is passed in as arguments at container run time. scored: true + - id: 1.1.19 + text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" + audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" + tests: + test_items: + - flag: "true" + compare: + op: eq + value: "true" + set: true + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chown -R root:root /etc/kubernetes/pki/ + scored: true + + - id: 1.1.20 + text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" + audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + + scored: false + + - id: 1.1.21 + text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" + audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + + scored: false - id: 1.2 text: "API Server" diff --git a/cfg/rke2-cis-1.23/etcd.yaml b/cfg/rke2-cis-1.23/etcd.yaml index 22c1bc2..251bcd8 100644 --- a/cfg/rke2-cis-1.23/etcd.yaml +++ b/cfg/rke2-cis-1.23/etcd.yaml @@ -5,72 +5,6 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Master Node Configuration Files" - checks: - - id: 1.1.7 - text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" - audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "644" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chmod 644 $etcdconf - scored: true - - - id: 1.1.8 - text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" - audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root $etcdconf - scored: true - - - id: 1.1.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.1.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - type: "skip" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" - tests: - test_items: - - flag: "etcd:etcd" - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). - For example, chown etcd:etcd /var/lib/etcd - scored: true - - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke2-cis-1.23/master.yaml b/cfg/rke2-cis-1.23/master.yaml index a013cc8..aeb766a 100644 --- a/cfg/rke2-cis-1.23/master.yaml +++ b/cfg/rke2-cis-1.23/master.yaml @@ -96,6 +96,38 @@ groups: For example, chown root:root $schedulerconf scored: true + - id: 1.1.7 + text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" + audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chmod 644 $etcdconf + scored: true + + - id: 1.1.8 + text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chown root:root $etcdconf + scored: true + - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" audit: | @@ -128,6 +160,37 @@ groups: chown root:root scored: false + - id: 1.1.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" + audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 1.1.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" + type: "skip" + audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" + tests: + test_items: + - flag: "etcd:etcd" + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). + For example, chown etcd:etcd /var/lib/etcd + scored: true + - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)" audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/cred/admin.kubeconfig" diff --git a/cfg/rke2-cis-1.24/etcd.yaml b/cfg/rke2-cis-1.24/etcd.yaml index b9e3aac..1e62ff4 100644 --- a/cfg/rke2-cis-1.24/etcd.yaml +++ b/cfg/rke2-cis-1.24/etcd.yaml @@ -5,72 +5,6 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Master Node Configuration Files" - checks: - - id: 1.1.7 - text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" - audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "644" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chmod 644 $etcdconf - scored: true - - - id: 1.1.8 - text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" - audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root $etcdconf - scored: true - - - id: 1.1.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.1.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - type: "skip" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" - tests: - test_items: - - flag: "etcd:etcd" - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). - For example, chown etcd:etcd /var/lib/etcd - scored: true - - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke2-cis-1.24/master.yaml b/cfg/rke2-cis-1.24/master.yaml index 8d16f87..13afa29 100644 --- a/cfg/rke2-cis-1.24/master.yaml +++ b/cfg/rke2-cis-1.24/master.yaml @@ -96,6 +96,38 @@ groups: For example, chown root:root $schedulerconf scored: true + - id: 1.1.7 + text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" + audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chmod 644 $etcdconf + scored: true + + - id: 1.1.8 + text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chown root:root $etcdconf + scored: true + - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" audit: | @@ -128,6 +160,37 @@ groups: chown root:root scored: false + - id: 1.1.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" + audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 1.1.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" + type: "skip" + audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" + tests: + test_items: + - flag: "etcd:etcd" + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). + For example, chown etcd:etcd /var/lib/etcd + scored: true + - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/cred/admin.kubeconfig" diff --git a/cfg/rke2-cis-1.7/etcd.yaml b/cfg/rke2-cis-1.7/etcd.yaml index 83f83d1..885e5d4 100644 --- a/cfg/rke2-cis-1.7/etcd.yaml +++ b/cfg/rke2-cis-1.7/etcd.yaml @@ -5,72 +5,6 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Master Node Configuration Files" - checks: - - id: 1.1.7 - text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" - audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" - use_multiple_values: true - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "600" - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chmod 600 $etcdconf - scored: true - - - id: 1.1.8 - text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" - audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root $etcdconf - scored: true - - - id: 1.1.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" - tests: - test_items: - - flag: "permissions" - compare: - op: bitmask - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.1.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - type: "skip" - audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" - tests: - test_items: - - flag: "etcd:etcd" - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir, - from the command 'ps -ef | grep etcd'. - Run the below command (based on the etcd data directory found above). - For example, chown etcd:etcd /var/lib/etcd - scored: true - - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke2-cis-1.7/master.yaml b/cfg/rke2-cis-1.7/master.yaml index 800f62f..f7734b8 100644 --- a/cfg/rke2-cis-1.7/master.yaml +++ b/cfg/rke2-cis-1.7/master.yaml @@ -96,6 +96,38 @@ groups: For example, chown root:root $schedulerconf scored: true + - id: 1.1.7 + text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" + audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chmod 600 $etcdconf + scored: true + + - id: 1.1.8 + text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command (based on the file location on your system) on the control plane node. + For example, + chown root:root $etcdconf + scored: true + - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" audit: | @@ -128,6 +160,37 @@ groups: chown root:root scored: false + - id: 1.1.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" + audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/db/etcd" + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 1.1.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" + type: "skip" + audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" + tests: + test_items: + - flag: "etcd:etcd" + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir, + from the command 'ps -ef | grep etcd'. + Run the below command (based on the etcd data directory found above). + For example, chown etcd:etcd /var/lib/etcd + scored: true + - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)" audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/cred/admin.kubeconfig"