Replace custom k3s etcd script checks with vanilla grep checks

Signed-off-by: Derek Nola <derek.nola@suse.com>
aquasecurity · Apr 22, 2024 · 2052688 · 2052688
1 parent ff9341a
commit 2052688
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 27 deletions.
diff --git a/cfg/k3s-cis-1.23/etcd.yaml b/cfg/k3s-cis-1.23/etcd.yaml
@@ -10,7 +10,7 @@ groups:
     checks:
       - id: 2.1
         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.1"
+        audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
@@ -30,7 +30,7 @@ groups:
 
       - id: 2.2
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.2"
+        audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
@@ -50,7 +50,7 @@ groups:
 
       - id: 2.3
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.3"
+        audit: "grep 'auto-tls' $etcdconf"
         tests:
           bin_op: or
           test_items:
@@ -70,7 +70,7 @@ groups:
 
       - id: 2.4
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.4"
+        audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
@@ -91,7 +91,7 @@ groups:
 
       - id: 2.5
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.5"
+        audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
@@ -111,7 +111,7 @@ groups:
 
       - id: 2.6
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.6"
+        audit: "grep 'peer-auto-tls' $etcdconf"
         tests:
           bin_op: or
           test_items:
@@ -132,7 +132,7 @@ groups:
 
       - id: 2.7
         text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
-        audit: "check_for_k3s_etcd.sh 2.7"
+        audit: "grep 'trusted-ca-file' $etcdconf"
         tests:
           test_items:
             - flag: "trusted-ca-file"

diff --git a/cfg/k3s-cis-1.23/master.yaml b/cfg/k3s-cis-1.23/master.yaml
@@ -155,7 +155,7 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd"
         tests:
           test_items:
             - flag: "700"
@@ -736,7 +736,7 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
         tests:
           bin_op: and
           test_items:

diff --git a/cfg/k3s-cis-1.24/etcd.yaml b/cfg/k3s-cis-1.24/etcd.yaml
@@ -10,7 +10,7 @@ groups:
     checks:
       - id: 2.1
         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.1"
+        audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
@@ -30,7 +30,7 @@ groups:
 
       - id: 2.2
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.2"
+        audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
@@ -50,7 +50,7 @@ groups:
 
       - id: 2.3
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.3"
+        audit: "grep 'auto-tls' $etcdconf"
         tests:
           bin_op: or
           test_items:
@@ -70,7 +70,7 @@ groups:
 
       - id: 2.4
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.4"
+        audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
@@ -91,7 +91,7 @@ groups:
 
       - id: 2.5
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.5"
+        audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
@@ -111,7 +111,7 @@ groups:
 
       - id: 2.6
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.6"
+        audit: "grep 'peer-auto-tls' $etcdconf"
         tests:
           bin_op: or
           test_items:
@@ -132,7 +132,7 @@ groups:
 
       - id: 2.7
         text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.7"
+        audit: "grep 'trusted-ca-file' $etcdconf"
         tests:
           test_items:
             - flag: "trusted-ca-file"

diff --git a/cfg/k3s-cis-1.24/master.yaml b/cfg/k3s-cis-1.24/master.yaml
@@ -155,7 +155,7 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd"
         tests:
           test_items:
             - flag: "700"
@@ -735,7 +735,7 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'"
         tests:
           bin_op: and
           test_items:

diff --git a/cfg/k3s-cis-1.7/etcd.yaml b/cfg/k3s-cis-1.7/etcd.yaml
@@ -10,7 +10,7 @@ groups:
     checks:
       - id: 2.1
         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.1"
+        audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
@@ -30,7 +30,7 @@ groups:
 
       - id: 2.2
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.2"
+        audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
@@ -50,7 +50,7 @@ groups:
 
       - id: 2.3
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.3"
+        audit: "grep 'auto-tls' $etcdconf | true"
         tests:
           bin_op: or
           test_items:
@@ -70,7 +70,7 @@ groups:
 
       - id: 2.4
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.4"
+        audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
         tests:
           bin_op: and
           test_items:
@@ -91,7 +91,7 @@ groups:
 
       - id: 2.5
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.5"
+        audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
         tests:
           bin_op: or
           test_items:
@@ -111,7 +111,7 @@ groups:
 
       - id: 2.6
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.6"
+        audit: "grep 'peer-auto-tls' $etcdconf | true"
         tests:
           bin_op: or
           test_items:
@@ -132,7 +132,7 @@ groups:
 
       - id: 2.7
         text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.7"
+        audit: "grep 'trusted-ca-file' $etcdconf"
         tests:
           test_items:
             - flag: "trusted-ca-file"

diff --git a/cfg/k3s-cis-1.7/master.yaml b/cfg/k3s-cis-1.7/master.yaml
@@ -167,7 +167,7 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd"
         tests:
           test_items:
             - flag: "700"
@@ -738,7 +738,7 @@ groups:
 
       - id: 1.2.25
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1"
         tests:
           bin_op: and
           test_items: