arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-19 13:18:07 +00:00
Code Issues Releases Wiki Activity

Replace custom k3s etcd script checks with vanilla grep checks (#1601)

Browse Source 
* Replace custom k3s etcd script checks with vanilla grep checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etcddatadir

Signed-off-by: Derek Nola <derek.nola@suse.com>

* chore: update go-linter version

Signed-off-by: chenk <hen.keinan@gmail.com>

* Use etcddatadir variable

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
This commit is contained in:
Derek Nola 2024-05-20 03:47:15 -07:00 committed by GitHub
parent 2a8615befd
commit ed51191d7c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 37 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View File

@ -34,7 +34,7 @@ jobs:
- name: Setup golangci-lint - name: Setup golangci-lint
uses: golangci/golangci-lint-action@v4 uses: golangci/golangci-lint-action@v4
with: with:
version: latest version: v1.57.2
args: --verbose args: --verbose
unit: unit:
name: Unit tests name: Unit tests

3
cfg/config.yaml
View File

@ -95,6 +95,7 @@ master:
datadirs: datadirs:
- /var/lib/etcd/default.etcd - /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd - /var/lib/etcd/data.etcd
- /var/lib/rancher/k3s/server/db/etcd
confs: confs:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.yml
@ -105,6 +106,7 @@ master:
- /var/snap/microk8s/current/args/etcd - /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service - /usr/lib/systemd/system/etcd.service
- /var/lib/rancher/rke2/server/db/etcd/config - /var/lib/rancher/rke2/server/db/etcd/config
- /var/lib/rancher/k3s/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd defaultdatadir: /var/lib/etcd/default.etcd
@ -234,6 +236,7 @@ etcd:
datadirs: datadirs:
- /var/lib/etcd/default.etcd - /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd - /var/lib/etcd/data.etcd
- /var/lib/rancher/k3s/server/db/etcd
confs: confs:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.yml

3
cfg/k3s-cis-1.23/config.yaml
View File

@ -24,7 +24,8 @@ master:
etcd: etcd:
bins: bins:
- containerd - containerd
datadirs:
- /var/lib/rancher/k3s/server/db/etcd
node: node:
components: components:
- kubelet - kubelet

25
cfg/k3s-cis-1.23/etcd.yaml
View File

@ -10,15 +10,13 @@ groups:
checks: checks:
- id: 2.1 - id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.1" audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "cert-file" - flag: "cert-file"
env: "ETCD_CERT_FILE"
set: true set: true
- flag: "key-file" - flag: "key-file"
env: "ETCD_KEY_FILE"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure TLS encryption. Follow the etcd service documentation and configure TLS encryption.
@ -30,14 +28,13 @@ groups:
- id: 2.2 - id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)" text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.2" audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
set: true set: true
- flag: "client-cert-auth" - flag: "client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare: compare:
op: eq op: eq
value: true value: true
@ -50,15 +47,13 @@ groups:
- id: 2.3 - id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)" text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.3" audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--auto-tls" - flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false set: false
- flag: "--auto-tls" - flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare: compare:
op: eq op: eq
value: false value: false
@ -70,15 +65,13 @@ groups:
- id: 2.4 - id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.4" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "cert-file" - flag: "cert-file"
env: "ETCD_PEER_CERT_FILE"
set: true set: true
- flag: "key-file" - flag: "key-file"
env: "ETCD_PEER_KEY_FILE"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
@ -91,14 +84,13 @@ groups:
- id: 2.5 - id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.5" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
set: true set: true
- flag: "client-cert-auth" - flag: "client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare: compare:
op: eq op: eq
value: true value: true
@ -111,15 +103,13 @@ groups:
- id: 2.6 - id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.6" audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false set: false
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare: compare:
op: eq op: eq
value: false value: false
@ -132,11 +122,10 @@ groups:
- id: 2.7 - id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "check_for_k3s_etcd.sh 2.7" audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
tests: tests:
test_items: test_items:
- flag: "trusted-ca-file" - flag: "trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
set: true set: true
remediation: | remediation: |
[Manual test] [Manual test]

4
cfg/k3s-cis-1.23/master.yaml
View File

@ -155,7 +155,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: "check_for_k3s_etcd.sh 1.1.11" audit: "stat -c %a $etcddatadir"
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -736,7 +736,7 @@ groups:
- id: 1.2.26 - id: 1.2.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 1.2.29" audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:

2
cfg/k3s-cis-1.24/config.yaml
View File

@ -24,6 +24,8 @@ master:
etcd: etcd:
bins: bins:
- containerd - containerd
datadirs:
- /var/lib/rancher/k3s/server/db/etcd
node: node:
components: components:

25
cfg/k3s-cis-1.24/etcd.yaml
View File

@ -10,15 +10,13 @@ groups:
checks: checks:
- id: 2.1 - id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.1" audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "cert-file" - flag: "cert-file"
env: "ETCD_CERT_FILE"
set: true set: true
- flag: "key-file" - flag: "key-file"
env: "ETCD_KEY_FILE"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure TLS encryption. Follow the etcd service documentation and configure TLS encryption.
@ -30,14 +28,13 @@ groups:
- id: 2.2 - id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)" text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.2" audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
set: true set: true
- flag: "client-cert-auth" - flag: "client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare: compare:
op: eq op: eq
value: true value: true
@ -50,15 +47,13 @@ groups:
- id: 2.3 - id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)" text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.3" audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--auto-tls" - flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false set: false
- flag: "--auto-tls" - flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare: compare:
op: eq op: eq
value: false value: false
@ -70,15 +65,13 @@ groups:
- id: 2.4 - id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.4" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "cert-file" - flag: "cert-file"
env: "ETCD_PEER_CERT_FILE"
set: true set: true
- flag: "key-file" - flag: "key-file"
env: "ETCD_PEER_KEY_FILE"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
@ -91,14 +84,13 @@ groups:
- id: 2.5 - id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.5" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
set: true set: true
- flag: "client-cert-auth" - flag: "client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare: compare:
op: eq op: eq
value: true value: true
@ -111,15 +103,13 @@ groups:
- id: 2.6 - id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.6" audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false set: false
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare: compare:
op: eq op: eq
value: false value: false
@ -132,11 +122,10 @@ groups:
- id: 2.7 - id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
audit: "check_for_k3s_etcd.sh 2.7" audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
tests: tests:
test_items: test_items:
- flag: "trusted-ca-file" - flag: "trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
set: true set: true
remediation: | remediation: |
[Manual test] [Manual test]

4
cfg/k3s-cis-1.24/master.yaml
View File

@ -155,7 +155,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: "check_for_k3s_etcd.sh 1.1.11" audit: "stat -c %a $etcddatadir"
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -735,7 +735,7 @@ groups:
- id: 1.2.26 - id: 1.2.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 1.2.29" audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:

3
cfg/k3s-cis-1.7/config.yaml
View File

@ -31,7 +31,8 @@ master:
etcd: etcd:
bins: bins:
- containerd - containerd
datadirs:
- /var/lib/rancher/k3s/server/db/etcd
node: node:
components: components:
- kubelet - kubelet

25
cfg/k3s-cis-1.7/etcd.yaml
View File

@ -10,15 +10,13 @@ groups:
checks: checks:
- id: 2.1 - id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.1" audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "cert-file" - flag: "cert-file"
env: "ETCD_CERT_FILE"
set: true set: true
- flag: "key-file" - flag: "key-file"
env: "ETCD_KEY_FILE"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure TLS encryption. Follow the etcd service documentation and configure TLS encryption.
@ -30,14 +28,13 @@ groups:
- id: 2.2 - id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)" text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.2" audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
set: true set: true
- flag: "client-cert-auth" - flag: "client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare: compare:
op: eq op: eq
value: true value: true
@ -50,15 +47,13 @@ groups:
- id: 2.3 - id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)" text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.3" audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--auto-tls" - flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false set: false
- flag: "--auto-tls" - flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare: compare:
op: eq op: eq
value: false value: false
@ -70,15 +65,13 @@ groups:
- id: 2.4 - id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.4" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "cert-file" - flag: "cert-file"
env: "ETCD_PEER_CERT_FILE"
set: true set: true
- flag: "key-file" - flag: "key-file"
env: "ETCD_PEER_KEY_FILE"
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
@ -91,14 +84,13 @@ groups:
- id: 2.5 - id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.5" audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
set: true set: true
- flag: "client-cert-auth" - flag: "client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare: compare:
op: eq op: eq
value: true value: true
@ -111,15 +103,13 @@ groups:
- id: 2.6 - id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.6" audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false set: false
- flag: "--peer-auto-tls" - flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare: compare:
op: eq op: eq
value: false value: false
@ -132,11 +122,10 @@ groups:
- id: 2.7 - id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
audit: "check_for_k3s_etcd.sh 2.7" audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
tests: tests:
test_items: test_items:
- flag: "trusted-ca-file" - flag: "trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
set: true set: true
remediation: | remediation: |
[Manual test] [Manual test]

4
cfg/k3s-cis-1.7/master.yaml
View File

@ -167,7 +167,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: "check_for_k3s_etcd.sh 1.1.11" audit: "stat -c %a $etcddatadir"
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -738,7 +738,7 @@ groups:
- id: 1.2.25 - id: 1.2.25
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 1.2.29" audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests: tests:
bin_op: and bin_op: and
test_items: test_items: