mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-23 23:18:33 +00:00
Replace custom k3s etcd script checks with vanilla grep checks (#1601)
* Replace custom k3s etcd script checks with vanilla grep checks Signed-off-by: Derek Nola <derek.nola@suse.com> * Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etcddatadir Signed-off-by: Derek Nola <derek.nola@suse.com> * chore: update go-linter version Signed-off-by: chenk <hen.keinan@gmail.com> * Use etcddatadir variable Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Derek Nola <derek.nola@suse.com> Signed-off-by: chenk <hen.keinan@gmail.com> Co-authored-by: chenk <hen.keinan@gmail.com>
This commit is contained in:
parent
2a8615befd
commit
ed51191d7c
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
@ -34,7 +34,7 @@ jobs:
|
|||||||
- name: Setup golangci-lint
|
- name: Setup golangci-lint
|
||||||
uses: golangci/golangci-lint-action@v4
|
uses: golangci/golangci-lint-action@v4
|
||||||
with:
|
with:
|
||||||
version: latest
|
version: v1.57.2
|
||||||
args: --verbose
|
args: --verbose
|
||||||
unit:
|
unit:
|
||||||
name: Unit tests
|
name: Unit tests
|
||||||
|
@ -95,6 +95,7 @@ master:
|
|||||||
datadirs:
|
datadirs:
|
||||||
- /var/lib/etcd/default.etcd
|
- /var/lib/etcd/default.etcd
|
||||||
- /var/lib/etcd/data.etcd
|
- /var/lib/etcd/data.etcd
|
||||||
|
- /var/lib/rancher/k3s/server/db/etcd
|
||||||
confs:
|
confs:
|
||||||
- /etc/kubernetes/manifests/etcd.yaml
|
- /etc/kubernetes/manifests/etcd.yaml
|
||||||
- /etc/kubernetes/manifests/etcd.yml
|
- /etc/kubernetes/manifests/etcd.yml
|
||||||
@ -105,6 +106,7 @@ master:
|
|||||||
- /var/snap/microk8s/current/args/etcd
|
- /var/snap/microk8s/current/args/etcd
|
||||||
- /usr/lib/systemd/system/etcd.service
|
- /usr/lib/systemd/system/etcd.service
|
||||||
- /var/lib/rancher/rke2/server/db/etcd/config
|
- /var/lib/rancher/rke2/server/db/etcd/config
|
||||||
|
- /var/lib/rancher/k3s/server/db/etcd/config
|
||||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
defaultdatadir: /var/lib/etcd/default.etcd
|
defaultdatadir: /var/lib/etcd/default.etcd
|
||||||
|
|
||||||
@ -234,6 +236,7 @@ etcd:
|
|||||||
datadirs:
|
datadirs:
|
||||||
- /var/lib/etcd/default.etcd
|
- /var/lib/etcd/default.etcd
|
||||||
- /var/lib/etcd/data.etcd
|
- /var/lib/etcd/data.etcd
|
||||||
|
- /var/lib/rancher/k3s/server/db/etcd
|
||||||
confs:
|
confs:
|
||||||
- /etc/kubernetes/manifests/etcd.yaml
|
- /etc/kubernetes/manifests/etcd.yaml
|
||||||
- /etc/kubernetes/manifests/etcd.yml
|
- /etc/kubernetes/manifests/etcd.yml
|
||||||
|
@ -24,7 +24,8 @@ master:
|
|||||||
etcd:
|
etcd:
|
||||||
bins:
|
bins:
|
||||||
- containerd
|
- containerd
|
||||||
|
datadirs:
|
||||||
|
- /var/lib/rancher/k3s/server/db/etcd
|
||||||
node:
|
node:
|
||||||
components:
|
components:
|
||||||
- kubelet
|
- kubelet
|
||||||
|
@ -10,15 +10,13 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 2.1
|
- id: 2.1
|
||||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.1"
|
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cert-file"
|
- flag: "cert-file"
|
||||||
env: "ETCD_CERT_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
- flag: "key-file"
|
- flag: "key-file"
|
||||||
env: "ETCD_KEY_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure TLS encryption.
|
Follow the etcd service documentation and configure TLS encryption.
|
||||||
@ -30,14 +28,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2
|
- id: 2.2
|
||||||
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.2"
|
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-cert-auth"
|
- flag: "--client-cert-auth"
|
||||||
set: true
|
set: true
|
||||||
- flag: "client-cert-auth"
|
- flag: "client-cert-auth"
|
||||||
env: "ETCD_CLIENT_CERT_AUTH"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -50,15 +47,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.3
|
- id: 2.3
|
||||||
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.3"
|
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--auto-tls"
|
- flag: "--auto-tls"
|
||||||
env: "ETCD_AUTO_TLS"
|
|
||||||
set: false
|
set: false
|
||||||
- flag: "--auto-tls"
|
- flag: "--auto-tls"
|
||||||
env: "ETCD_AUTO_TLS"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -70,15 +65,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.4
|
- id: 2.4
|
||||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.4"
|
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cert-file"
|
- flag: "cert-file"
|
||||||
env: "ETCD_PEER_CERT_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
- flag: "key-file"
|
- flag: "key-file"
|
||||||
env: "ETCD_PEER_KEY_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
||||||
@ -91,14 +84,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.5
|
- id: 2.5
|
||||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.5"
|
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-cert-auth"
|
- flag: "--client-cert-auth"
|
||||||
set: true
|
set: true
|
||||||
- flag: "client-cert-auth"
|
- flag: "client-cert-auth"
|
||||||
env: "ETCD_PEER_CLIENT_CERT_AUTH"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -111,15 +103,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.6
|
- id: 2.6
|
||||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.6"
|
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--peer-auto-tls"
|
- flag: "--peer-auto-tls"
|
||||||
env: "ETCD_PEER_AUTO_TLS"
|
|
||||||
set: false
|
set: false
|
||||||
- flag: "--peer-auto-tls"
|
- flag: "--peer-auto-tls"
|
||||||
env: "ETCD_PEER_AUTO_TLS"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -132,11 +122,10 @@ groups:
|
|||||||
|
|
||||||
- id: 2.7
|
- id: 2.7
|
||||||
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
|
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.7"
|
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "trusted-ca-file"
|
- flag: "trusted-ca-file"
|
||||||
env: "ETCD_TRUSTED_CA_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
[Manual test]
|
||||||
|
@ -155,7 +155,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 1.1.11"
|
audit: "stat -c %a $etcddatadir"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "700"
|
||||||
@ -736,7 +736,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.2.26
|
- id: 1.2.26
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 1.2.29"
|
audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -24,6 +24,8 @@ master:
|
|||||||
etcd:
|
etcd:
|
||||||
bins:
|
bins:
|
||||||
- containerd
|
- containerd
|
||||||
|
datadirs:
|
||||||
|
- /var/lib/rancher/k3s/server/db/etcd
|
||||||
|
|
||||||
node:
|
node:
|
||||||
components:
|
components:
|
||||||
|
@ -10,15 +10,13 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 2.1
|
- id: 2.1
|
||||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.1"
|
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cert-file"
|
- flag: "cert-file"
|
||||||
env: "ETCD_CERT_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
- flag: "key-file"
|
- flag: "key-file"
|
||||||
env: "ETCD_KEY_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure TLS encryption.
|
Follow the etcd service documentation and configure TLS encryption.
|
||||||
@ -30,14 +28,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2
|
- id: 2.2
|
||||||
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.2"
|
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-cert-auth"
|
- flag: "--client-cert-auth"
|
||||||
set: true
|
set: true
|
||||||
- flag: "client-cert-auth"
|
- flag: "client-cert-auth"
|
||||||
env: "ETCD_CLIENT_CERT_AUTH"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -50,15 +47,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.3
|
- id: 2.3
|
||||||
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.3"
|
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--auto-tls"
|
- flag: "--auto-tls"
|
||||||
env: "ETCD_AUTO_TLS"
|
|
||||||
set: false
|
set: false
|
||||||
- flag: "--auto-tls"
|
- flag: "--auto-tls"
|
||||||
env: "ETCD_AUTO_TLS"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -70,15 +65,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.4
|
- id: 2.4
|
||||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.4"
|
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cert-file"
|
- flag: "cert-file"
|
||||||
env: "ETCD_PEER_CERT_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
- flag: "key-file"
|
- flag: "key-file"
|
||||||
env: "ETCD_PEER_KEY_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
||||||
@ -91,14 +84,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.5
|
- id: 2.5
|
||||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.5"
|
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-cert-auth"
|
- flag: "--client-cert-auth"
|
||||||
set: true
|
set: true
|
||||||
- flag: "client-cert-auth"
|
- flag: "client-cert-auth"
|
||||||
env: "ETCD_PEER_CLIENT_CERT_AUTH"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -111,15 +103,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.6
|
- id: 2.6
|
||||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.6"
|
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--peer-auto-tls"
|
- flag: "--peer-auto-tls"
|
||||||
env: "ETCD_PEER_AUTO_TLS"
|
|
||||||
set: false
|
set: false
|
||||||
- flag: "--peer-auto-tls"
|
- flag: "--peer-auto-tls"
|
||||||
env: "ETCD_PEER_AUTO_TLS"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -132,11 +122,10 @@ groups:
|
|||||||
|
|
||||||
- id: 2.7
|
- id: 2.7
|
||||||
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
|
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.7"
|
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "trusted-ca-file"
|
- flag: "trusted-ca-file"
|
||||||
env: "ETCD_TRUSTED_CA_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
[Manual test]
|
||||||
|
@ -155,7 +155,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 1.1.11"
|
audit: "stat -c %a $etcddatadir"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "700"
|
||||||
@ -735,7 +735,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.2.26
|
- id: 1.2.26
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 1.2.29"
|
audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -31,7 +31,8 @@ master:
|
|||||||
etcd:
|
etcd:
|
||||||
bins:
|
bins:
|
||||||
- containerd
|
- containerd
|
||||||
|
datadirs:
|
||||||
|
- /var/lib/rancher/k3s/server/db/etcd
|
||||||
node:
|
node:
|
||||||
components:
|
components:
|
||||||
- kubelet
|
- kubelet
|
||||||
|
@ -10,15 +10,13 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 2.1
|
- id: 2.1
|
||||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.1"
|
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cert-file"
|
- flag: "cert-file"
|
||||||
env: "ETCD_CERT_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
- flag: "key-file"
|
- flag: "key-file"
|
||||||
env: "ETCD_KEY_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure TLS encryption.
|
Follow the etcd service documentation and configure TLS encryption.
|
||||||
@ -30,14 +28,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2
|
- id: 2.2
|
||||||
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.2"
|
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-cert-auth"
|
- flag: "--client-cert-auth"
|
||||||
set: true
|
set: true
|
||||||
- flag: "client-cert-auth"
|
- flag: "client-cert-auth"
|
||||||
env: "ETCD_CLIENT_CERT_AUTH"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -50,15 +47,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.3
|
- id: 2.3
|
||||||
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.3"
|
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--auto-tls"
|
- flag: "--auto-tls"
|
||||||
env: "ETCD_AUTO_TLS"
|
|
||||||
set: false
|
set: false
|
||||||
- flag: "--auto-tls"
|
- flag: "--auto-tls"
|
||||||
env: "ETCD_AUTO_TLS"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -70,15 +65,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.4
|
- id: 2.4
|
||||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.4"
|
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cert-file"
|
- flag: "cert-file"
|
||||||
env: "ETCD_PEER_CERT_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
- flag: "key-file"
|
- flag: "key-file"
|
||||||
env: "ETCD_PEER_KEY_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
Follow the etcd service documentation and configure peer TLS encryption as appropriate
|
||||||
@ -91,14 +84,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.5
|
- id: 2.5
|
||||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.5"
|
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-cert-auth"
|
- flag: "--client-cert-auth"
|
||||||
set: true
|
set: true
|
||||||
- flag: "client-cert-auth"
|
- flag: "client-cert-auth"
|
||||||
env: "ETCD_PEER_CLIENT_CERT_AUTH"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
@ -111,15 +103,13 @@ groups:
|
|||||||
|
|
||||||
- id: 2.6
|
- id: 2.6
|
||||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.6"
|
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--peer-auto-tls"
|
- flag: "--peer-auto-tls"
|
||||||
env: "ETCD_PEER_AUTO_TLS"
|
|
||||||
set: false
|
set: false
|
||||||
- flag: "--peer-auto-tls"
|
- flag: "--peer-auto-tls"
|
||||||
env: "ETCD_PEER_AUTO_TLS"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
@ -132,11 +122,10 @@ groups:
|
|||||||
|
|
||||||
- id: 2.7
|
- id: 2.7
|
||||||
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
|
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 2.7"
|
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "trusted-ca-file"
|
- flag: "trusted-ca-file"
|
||||||
env: "ETCD_TRUSTED_CA_FILE"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
[Manual test]
|
||||||
|
@ -167,7 +167,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 1.1.11"
|
audit: "stat -c %a $etcddatadir"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "700"
|
||||||
@ -738,7 +738,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.2.25
|
- id: 1.2.25
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
|
||||||
audit: "check_for_k3s_etcd.sh 1.2.29"
|
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
|
Loading…
Reference in New Issue
Block a user