1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-12 01:38:14 +00:00
kube-bench/cfg/k3s-cis-1.23/etcd.yaml
Derek Nola ed51191d7c
Replace custom k3s etcd script checks with vanilla grep checks (#1601)
* Replace custom k3s etcd script checks with vanilla grep checks

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etcddatadir

Signed-off-by: Derek Nola <derek.nola@suse.com>

* chore: update go-linter version

Signed-off-by: chenk <hen.keinan@gmail.com>

* Use etcddatadir variable

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
Co-authored-by: chenk <hen.keinan@gmail.com>
2024-05-20 13:47:15 +03:00

138 lines
4.9 KiB
YAML

---
controls:
version: "k3s-cis-1.23"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
text: "Etcd Node Configuration"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests:
bin_op: and
test_items:
- flag: "cert-file"
set: true
- flag: "key-file"
set: true
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
scored: true
- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
compare:
op: eq
value: true
set: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
scored: true
- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
set: false
- flag: "--auto-tls"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
scored: true
- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests:
bin_op: and
test_items:
- flag: "cert-file"
set: true
- flag: "key-file"
set: true
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
scored: true
- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
compare:
op: eq
value: true
set: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
scored: true
- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
set: false
- flag: "--peer-auto-tls"
compare:
op: eq
value: false
set: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
scored: true
- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
tests:
test_items:
- flag: "trusted-ca-file"
set: true
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false