issue #234: implement test 2.2.8 (#343)

* implement test 2.2.8 * Nit: correct indentation The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it
5 years ago · d8528a1ec8
parent a0bed18054
commit d8528a1ec8
7 changed files with 67 additions and 9 deletions
--- a/cfg/1.11-json/node.yaml
+++ b/cfg/1.11-json/node.yaml
@ -462,8 +462,14 @@ groups:

    - id: 2.2.8
      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
      remediation: |
        Run the following command to modify the ownership of the --client-ca-file .
        chown root:root <filename>
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@ -453,8 +453,14 @@ groups:

    - id: 2.2.8
      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
      remediation: |
        Run the following command to modify the ownership of the --client-ca-file .
        chown root:root <filename>
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@ -434,8 +434,14 @@ groups:

    - id: 2.2.8
      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
      remediation: |
        Run the following command to modify the ownership of the --client-ca-file .
        chown root:root <filename>
--- a/cfg/1.8/node.yaml
+++ b/cfg/1.8/node.yaml
@ -430,9 +430,15 @@ groups:
      scored: true

    - id: 2.2.8
-      text: "Ensure that the client certificate authorities file ownership is set to root:root"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      type: manual
+      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
      remediation: |
        Run the following command to modify the ownership of the --client-ca-file .
        chown root:root <filename>
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@ -81,6 +81,8 @@ node:
    defaultconf: /etc/kubernetes/config    

  kubelet:
+    cafile:
+      - "/etc/kubernetes/pki/ca.crt"
    bins:
      - "hyperkube kubelet"
      - "kubelet"
@ -91,6 +93,7 @@ node:
    defaultconf: "/var/lib/kubelet/config.yaml"
    defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
    defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
+    defaultcafile: "/etc/kubernetes/pki/ca.crt"

  proxy:
    bins:
--- a/cmd/common.go
+++ b/cmd/common.go
@ -85,6 +85,7 @@ func runChecks(nodetype check.NodeType) {
 	confmap := getConfigFiles(typeConf)
 	svcmap := getServiceFiles(typeConf)
 	kubeconfmap := getKubeConfigFiles(typeConf)
+	cafilemap := getCaFile(typeConf)

 	// Variable substitutions. Replace all occurrences of variables in controls files.
 	s := string(in)
@ -92,6 +93,7 @@ func runChecks(nodetype check.NodeType) {
 	s = makeSubstitutions(s, "conf", confmap)
 	s = makeSubstitutions(s, "svc", svcmap)
 	s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
+	s = makeSubstitutions(s, "cafile", cafilemap)

 	controls, err := check.NewControls(nodetype, []byte(s))
 	if err != nil {
--- a/cmd/util.go
+++ b/cmd/util.go
@ -258,6 +258,35 @@ func getKubeConfigFiles(v *viper.Viper) map[string]string {
 	return kubeconfigmap
 }

+// getCaFile finds which of the set of client certificate authorities files exist
+func getCaFile(v *viper.Viper) map[string]string {
+        cafilemap := make(map[string]string)
+
+        for _, component := range v.GetStringSlice("components") {
+                s := v.Sub(component)
+                if s == nil {
+                        continue
+                }
+
+                cafile := findConfigFile(s.GetStringSlice("cafile"))
+                if cafile == "" {
+                        if s.IsSet("defaultcafile") {
+                                cafile = s.GetString("defaultcafile")
+                                glog.V(2).Info(fmt.Sprintf("Using default client CA file name '%s' for component %s", cafile, component))
+                        } else {
+                                glog.V(2).Info(fmt.Sprintf("Missing client CA file for %s", component))
+                                cafile = component
+                        }
+                } else {
+                        glog.V(2).Info(fmt.Sprintf("Component %s uses client CA file '%s'", component, cafile))
+                }
+
+                cafilemap[component] = cafile
+        }
+
+        return cafilemap
+}
+
 // verifyBin checks that the binary specified is running
 func verifyBin(bin string) bool {