Skip to content

Commit

Permalink
Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etc…
Browse files Browse the repository at this point in the history 
…ddatadir

Signed-off-by: Derek Nola <derek.nola@suse.com>
  • Loading branch information
@dereknola
dereknola committed May 6, 2024
1 parent 2052688 commit df52f48
Show file tree
Hide file tree
Showing 9 changed files with 32 additions and 58 deletions.
3 changes: 3 additions & 0 deletions cfg/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ master:
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
- /var/lib/rancher/k3s/server/db/etcd
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml
Expand All @@ -105,6 +106,7 @@ master:
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
- /var/lib/rancher/rke2/server/db/etcd/config
- /var/lib/rancher/k3s/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd

Expand Down Expand Up @@ -234,6 +236,7 @@ etcd:
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
- /var/lib/rancher/k3s/server/db/etcd
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml
Expand Down
3 changes: 2 additions & 1 deletion cfg/k3s-cis-1.23/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ master:
etcd:
bins:
- containerd

datadirs:
- /var/lib/rancher/k3s/server/db/etcd
node:
components:
- kubelet
Expand Down
25 changes: 7 additions & 18 deletions cfg/k3s-cis-1.23/etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,13 @@ groups:
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests:
bin_op: and
test_items:
- flag: "cert-file"
env: "ETCD_CERT_FILE"
set: true
- flag: "key-file"
env: "ETCD_KEY_FILE"
set: true
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Expand All @@ -30,14 +28,13 @@ groups:

- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
Expand All @@ -50,15 +47,13 @@ groups:

- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "grep 'auto-tls' $etcdconf"
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
Expand All @@ -70,15 +65,13 @@ groups:

- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests:
bin_op: and
test_items:
- flag: "cert-file"
env: "ETCD_PEER_CERT_FILE"
set: true
- flag: "key-file"
env: "ETCD_PEER_KEY_FILE"
set: true
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
Expand All @@ -91,14 +84,13 @@ groups:

- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
Expand All @@ -111,15 +103,13 @@ groups:

- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "grep 'peer-auto-tls' $etcdconf"
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare:
op: eq
value: false
Expand All @@ -132,11 +122,10 @@ groups:

- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "grep 'trusted-ca-file' $etcdconf"
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
tests:
test_items:
- flag: "trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
set: true
remediation: |
[Manual test]
Expand Down
2 changes: 1 addition & 1 deletion cfg/k3s-cis-1.23/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ groups:

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd"
audit: "stat -c %a $etcddatadir"
tests:
test_items:
- flag: "700"
Expand Down
2 changes: 2 additions & 0 deletions cfg/k3s-cis-1.24/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ master:
etcd:
bins:
- containerd
datadirs:
- /var/lib/rancher/k3s/server/db/etcd

node:
components:
Expand Down
25 changes: 7 additions & 18 deletions cfg/k3s-cis-1.24/etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,13 @@ groups:
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests:
bin_op: and
test_items:
- flag: "cert-file"
env: "ETCD_CERT_FILE"
set: true
- flag: "key-file"
env: "ETCD_KEY_FILE"
set: true
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Expand All @@ -30,14 +28,13 @@ groups:

- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
Expand All @@ -50,15 +47,13 @@ groups:

- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "grep 'auto-tls' $etcdconf"
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
Expand All @@ -70,15 +65,13 @@ groups:

- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
tests:
bin_op: and
test_items:
- flag: "cert-file"
env: "ETCD_PEER_CERT_FILE"
set: true
- flag: "key-file"
env: "ETCD_PEER_KEY_FILE"
set: true
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
Expand All @@ -91,14 +84,13 @@ groups:

- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
Expand All @@ -111,15 +103,13 @@ groups:

- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "grep 'peer-auto-tls' $etcdconf"
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare:
op: eq
value: false
Expand All @@ -132,11 +122,10 @@ groups:

- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
audit: "grep 'trusted-ca-file' $etcdconf"
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
tests:
test_items:
- flag: "trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
set: true
remediation: |
[Manual test]
Expand Down
2 changes: 1 addition & 1 deletion cfg/k3s-cis-1.24/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ groups:

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd"
audit: "stat -c %a $etcddatadir"
tests:
test_items:
- flag: "700"
Expand Down
3 changes: 2 additions & 1 deletion cfg/k3s-cis-1.7/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ master:
etcd:
bins:
- containerd

datadirs:
- /var/lib/rancher/k3s/server/db/etcd
node:
components:
- kubelet
Expand Down
Loading

0 comments on commit df52f48

Please sign in to comment.