mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-01-12 00:30:58 +00:00
155 lines
5.8 KiB
YAML
155 lines
5.8 KiB
YAML
---
|
|
controls:
|
|
version: rh-1.0
|
|
id: 2
|
|
text: "Etcd Node Configuration"
|
|
type: "etcd"
|
|
groups:
|
|
- id: 2
|
|
text: "Etcd Node Configuration Files"
|
|
checks:
|
|
- id: 2.1
|
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Manual)"
|
|
audit: |
|
|
# For --cert-file
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
# For --key-file
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "file"
|
|
compare:
|
|
op: regex
|
|
value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-serving\/etcd-serving-.*\.(?:crt|key)'
|
|
remediation: |
|
|
OpenShift does not use the etcd-certfile or etcd-keyfile flags.
|
|
Certificates for etcd are managed by the etcd cluster operator.
|
|
scored: false
|
|
|
|
- id: 2.2
|
|
text: "Ensure that the --client-cert-auth argument is set to true (Manual)"
|
|
audit: |
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "--client-cert-auth"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
This setting is managed by the cluster etcd operator. No remediation required."
|
|
scored: false
|
|
|
|
- id: 2.3
|
|
text: "Ensure that the --auto-tls argument is not set to true (Manual)"
|
|
audit: |
|
|
# Returns 0 if found, 1 if not found
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "exit_code"
|
|
compare:
|
|
op: eq
|
|
value: "1"
|
|
remediation: |
|
|
This setting is managed by the cluster etcd operator. No remediation required.e
|
|
scored: false
|
|
|
|
- id: 2.4
|
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Manual)"
|
|
audit: |
|
|
# For --peer-cert-file
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
# For --peer-key-file
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "file"
|
|
compare:
|
|
op: regex
|
|
value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-peer\/etcd-peer-.*\.(?:crt|key)'
|
|
remediation: |
|
|
None. This configuration is managed by the etcd operator.
|
|
scored: false
|
|
|
|
- id: 2.5
|
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Manual)"
|
|
audit: |
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "--peer-client-cert-auth"
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
remediation: |
|
|
This setting is managed by the cluster etcd operator. No remediation required.
|
|
scored: false
|
|
|
|
- id: 2.6
|
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Manual)"
|
|
audit: |
|
|
# Returns 0 if found, 1 if not found
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "exit_code"
|
|
compare:
|
|
op: eq
|
|
value: "1"
|
|
remediation: |
|
|
This setting is managed by the cluster etcd operator. No remediation required.
|
|
scored: false
|
|
|
|
- id: 2.7
|
|
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
|
|
audit: |
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
for i in $(oc get pods -oname -n openshift-etcd)
|
|
do
|
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/'
|
|
done 2>/dev/null
|
|
use_multiple_values: true
|
|
tests:
|
|
test_items:
|
|
- flag: "file"
|
|
compare:
|
|
op: regex
|
|
value: '\/etc\/kubernetes\/static-pod-certs\/configmaps\/etcd-(?:serving|peer-client)-ca\/ca-bundle\.(?:crt|key)'
|
|
remediation: |
|
|
None required. Certificates for etcd are managed by the OpenShift cluster etcd operator.
|
|
scored: false
|