arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

support customize datadir locations of etcd (#1330)

Browse Source
This commit is contained in:
Huang Huang 2022-11-25 21:32:49 +08:00 committed by GitHub
parent 3ccafa7be1
commit 865817dfda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 105 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cfg/cis-1.20/master.yaml
View File

@ -153,7 +153,13 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"

8
cfg/cis-1.23/master.yaml
View File

@ -147,7 +147,13 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"

16
cfg/cis-1.5/master.yaml
View File

@ -158,7 +158,13 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -176,7 +182,13 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G $DATA_DIR
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"

16
cfg/cis-1.6/master.yaml
View File

@ -153,7 +153,13 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -170,7 +176,13 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G $DATA_DIR
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"

8
cfg/config.yaml
View File

@ -89,6 +89,9 @@ master:
bins: bins:
- "etcd" - "etcd"
- "openshift start etcd" - "openshift start etcd"
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
confs: confs:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.yml
@ -99,6 +102,7 @@ master:
- /var/snap/microk8s/current/args/etcd - /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service - /usr/lib/systemd/system/etcd.service
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd
flanneld: flanneld:
optional: true optional: true
@ -211,6 +215,9 @@ etcd:
etcd: etcd:
bins: bins:
- "etcd" - "etcd"
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
confs: confs:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.yml
@ -221,6 +228,7 @@ etcd:
- /var/snap/microk8s/current/args/etcd - /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service - /usr/lib/systemd/system/etcd.service
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd
controlplane: controlplane:
components: components:

2
cmd/common.go
View File

@ -96,6 +96,7 @@ func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
svcmap := getFiles(typeConf, "service") svcmap := getFiles(typeConf, "service")
kubeconfmap := getFiles(typeConf, "kubeconfig") kubeconfmap := getFiles(typeConf, "kubeconfig")
cafilemap := getFiles(typeConf, "ca") cafilemap := getFiles(typeConf, "ca")
datadirmap := getFiles(typeConf, "datadir")
// Variable substitutions. Replace all occurrences of variables in controls files. // Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in) s := string(in)
@ -104,6 +105,7 @@ func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
s, _ = makeSubstitutions(s, "svc", svcmap) s, _ = makeSubstitutions(s, "svc", svcmap)
s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap) s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap)
s, _ = makeSubstitutions(s, "cafile", cafilemap) s, _ = makeSubstitutions(s, "cafile", cafilemap)
s, _ = makeSubstitutions(s, "datadir", datadirmap)
controls, err := check.NewControls(nodetype, []byte(s), detectedVersion) controls, err := check.NewControls(nodetype, []byte(s), detectedVersion)
if err != nil { if err != nil {

1
cmd/util.go
View File

@ -33,6 +33,7 @@ var (
"kubeconfig": {"kubeconfig", "defaultkubeconfig"}, "kubeconfig": {"kubeconfig", "defaultkubeconfig"},
"service": {"svc", "defaultsvc"}, "service": {"svc", "defaultsvc"},
"config": {"confs", "defaultconf"}, "config": {"confs", "defaultconf"},
"datadir": {"datadirs", "defaultdatadir"},
} }
) )

52
cmd/util_test.go
View File

@ -395,6 +395,58 @@ func TestGetServiceFiles(t *testing.T) {
} }
} }
func TestGetDatadirFiles(t *testing.T) {
var err error
datadir, err := ioutil.TempDir("", "kube-bench-test-etcd-data-dir")
if err != nil {
t.Fatalf("Failed to create temp directory")
}
defer os.RemoveAll(datadir)
cases := []struct {
config map[string]interface{}
exp map[string]string
statResults []error
}{
{
config: map[string]interface{}{
"components": []string{"etcd"},
"etcd": map[string]interface{}{"datadirs": []string{datadir},
"defaultdatadir": "/var/lib/etcd/default.etcd"},
},
statResults: []error{nil},
exp: map[string]string{"etcd": datadir},
},
// fallback to defaultdatadir
{
config: map[string]interface{}{
"components": []string{"etcd"},
"etcd": map[string]interface{}{"datadirs": []string{"/path/to/etcd/data.etcd"},
"defaultdatadir": "/var/lib/etcd/default.etcd"},
},
statResults: []error{os.ErrNotExist},
exp: map[string]string{"etcd": "/var/lib/etcd/default.etcd"},
},
}
v := viper.New()
statFunc = fakestat
for id, c := range cases {
t.Run(strconv.Itoa(id), func(t *testing.T) {
for k, val := range c.config {
v.Set(k, val)
}
e = c.statResults
eIndex = 0
m := getFiles(v, "datadir")
if !reflect.DeepEqual(m, c.exp) {
t.Fatalf("Got %v\nExpected %v", m, c.exp)
}
})
}
}
func TestMakeSubsitutions(t *testing.T) { func TestMakeSubsitutions(t *testing.T) {
cases := []struct { cases := []struct {
input string input string