issue #234: implement test 2.2.8 (#343)

* implement test 2.2.8

* Nit: correct indentation

The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it

cfg/1.11-json/node.yaml

@@ -462,8 +462,14 @@ groups:
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
-      type: manual
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/1.11/node.yaml

@@ -453,8 +453,14 @@ groups:
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
-      type: manual
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/1.13/node.yaml

@@ -434,8 +434,14 @@ groups:
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
-      type: manual
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/1.8/node.yaml

@@ -430,9 +430,15 @@ groups:
       scored: true
 
     - id: 2.2.8
-      text: "Ensure that the client certificate authorities file ownership is set to root:root"
+      text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
-      type: manual
+      tests:
+        test_items:
+          - flag: "root:root"
+            compare:
+              op: eq
+              value: root:root
+            set: true
       remediation: |
         Run the following command to modify the ownership of the --client-ca-file .
         chown root:root <filename>

cfg/config.yaml

@@ -81,6 +81,8 @@ node:
     defaultconf: /etc/kubernetes/config    
 
   kubelet:
+    cafile:
+      - "/etc/kubernetes/pki/ca.crt"
     bins:
       - "hyperkube kubelet"
       - "kubelet"
@@ -91,6 +93,7 @@ node:
     defaultconf: "/var/lib/kubelet/config.yaml"
     defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
     defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
+    defaultcafile: "/etc/kubernetes/pki/ca.crt"
 
   proxy:
     bins:

cmd/common.go

@@ -85,6 +85,7 @@ func runChecks(nodetype check.NodeType) {
 	confmap := getConfigFiles(typeConf)
 	svcmap := getServiceFiles(typeConf)
 	kubeconfmap := getKubeConfigFiles(typeConf)
+	cafilemap := getCaFile(typeConf)
 
 	// Variable substitutions. Replace all occurrences of variables in controls files.
 	s := string(in)
@@ -92,6 +93,7 @@ func runChecks(nodetype check.NodeType) {
 	s = makeSubstitutions(s, "conf", confmap)
 	s = makeSubstitutions(s, "svc", svcmap)
 	s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
+	s = makeSubstitutions(s, "cafile", cafilemap)
 
 	controls, err := check.NewControls(nodetype, []byte(s))
 	if err != nil {

cmd/util.go

@@ -258,6 +258,35 @@ func getKubeConfigFiles(v *viper.Viper) map[string]string {
 	return kubeconfigmap
 }
 
+// getCaFile finds which of the set of client certificate authorities files exist
+func getCaFile(v *viper.Viper) map[string]string {
+        cafilemap := make(map[string]string)
+
+        for _, component := range v.GetStringSlice("components") {
+                s := v.Sub(component)
+                if s == nil {
+                        continue
+                }
+
+                cafile := findConfigFile(s.GetStringSlice("cafile"))
+                if cafile == "" {
+                        if s.IsSet("defaultcafile") {
+                                cafile = s.GetString("defaultcafile")
+                                glog.V(2).Info(fmt.Sprintf("Using default client CA file name '%s' for component %s", cafile, component))
+                        } else {
+                                glog.V(2).Info(fmt.Sprintf("Missing client CA file for %s", component))
+                                cafile = component
+                        }
+                } else {
+                        glog.V(2).Info(fmt.Sprintf("Component %s uses client CA file '%s'", component, cafile))
+                }
+
+                cafilemap[component] = cafile
+        }
+
+        return cafilemap
+}
+
 // verifyBin checks that the binary specified is running
 func verifyBin(bin string) bool {