diff --git a/cfg/1.11-json/node.yaml b/cfg/1.11-json/node.yaml index 9dfc65c..f85687d 100644 --- a/cfg/1.11-json/node.yaml +++ b/cfg/1.11-json/node.yaml @@ -462,8 +462,14 @@ groups: - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" - type: manual + audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true remediation: | Run the following command to modify the ownership of the --client-ca-file . chown root:root diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml index 0a9ba8e..01faf1e 100644 --- a/cfg/1.11/node.yaml +++ b/cfg/1.11/node.yaml @@ -453,8 +453,14 @@ groups: - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" - type: manual + audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true remediation: | Run the following command to modify the ownership of the --client-ca-file . chown root:root diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml index 1469899..865c96e 100644 --- a/cfg/1.13/node.yaml +++ b/cfg/1.13/node.yaml @@ -434,8 +434,14 @@ groups: - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" - type: manual + audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true remediation: | Run the following command to modify the ownership of the --client-ca-file . chown root:root diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index 05edbfe..7740d72 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -430,9 +430,15 @@ groups: scored: true - id: 2.2.8 - text: "Ensure that the client certificate authorities file ownership is set to root:root" - audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" - type: manual + text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true remediation: | Run the following command to modify the ownership of the --client-ca-file . chown root:root diff --git a/cfg/config.yaml b/cfg/config.yaml index 340b905..a538f84 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -81,6 +81,8 @@ node: defaultconf: /etc/kubernetes/config kubelet: + cafile: + - "/etc/kubernetes/pki/ca.crt" bins: - "hyperkube kubelet" - "kubelet" @@ -91,6 +93,7 @@ node: defaultconf: "/var/lib/kubelet/config.yaml" defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" defaultkubeconfig: "/etc/kubernetes/kubelet.conf" + defaultcafile: "/etc/kubernetes/pki/ca.crt" proxy: bins: diff --git a/cmd/common.go b/cmd/common.go index 9297ea7..41e5cd7 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -85,6 +85,7 @@ func runChecks(nodetype check.NodeType) { confmap := getConfigFiles(typeConf) svcmap := getServiceFiles(typeConf) kubeconfmap := getKubeConfigFiles(typeConf) + cafilemap := getCaFile(typeConf) // Variable substitutions. Replace all occurrences of variables in controls files. s := string(in) @@ -92,6 +93,7 @@ func runChecks(nodetype check.NodeType) { s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "svc", svcmap) s = makeSubstitutions(s, "kubeconfig", kubeconfmap) + s = makeSubstitutions(s, "cafile", cafilemap) controls, err := check.NewControls(nodetype, []byte(s)) if err != nil { diff --git a/cmd/util.go b/cmd/util.go index f2a34f3..28490d9 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -258,6 +258,35 @@ func getKubeConfigFiles(v *viper.Viper) map[string]string { return kubeconfigmap } +// getCaFile finds which of the set of client certificate authorities files exist +func getCaFile(v *viper.Viper) map[string]string { + cafilemap := make(map[string]string) + + for _, component := range v.GetStringSlice("components") { + s := v.Sub(component) + if s == nil { + continue + } + + cafile := findConfigFile(s.GetStringSlice("cafile")) + if cafile == "" { + if s.IsSet("defaultcafile") { + cafile = s.GetString("defaultcafile") + glog.V(2).Info(fmt.Sprintf("Using default client CA file name '%s' for component %s", cafile, component)) + } else { + glog.V(2).Info(fmt.Sprintf("Missing client CA file for %s", component)) + cafile = component + } + } else { + glog.V(2).Info(fmt.Sprintf("Component %s uses client CA file '%s'", component, cafile)) + } + + cafilemap[component] = cafile + } + + return cafilemap +} + // verifyBin checks that the binary specified is running func verifyBin(bin string) bool {