From df52f48b4a650d0e61f842f1e8b3e51a0829c8e9 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Mon, 6 May 2024 12:00:30 -0700 Subject: [PATCH] Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etcddatadir Signed-off-by: Derek Nola --- cfg/config.yaml | 3 +++ cfg/k3s-cis-1.23/config.yaml | 3 ++- cfg/k3s-cis-1.23/etcd.yaml | 25 +++++++------------------ cfg/k3s-cis-1.23/master.yaml | 2 +- cfg/k3s-cis-1.24/config.yaml | 2 ++ cfg/k3s-cis-1.24/etcd.yaml | 25 +++++++------------------ cfg/k3s-cis-1.24/master.yaml | 2 +- cfg/k3s-cis-1.7/config.yaml | 3 ++- cfg/k3s-cis-1.7/etcd.yaml | 25 +++++++------------------ 9 files changed, 32 insertions(+), 58 deletions(-) diff --git a/cfg/config.yaml b/cfg/config.yaml index 05aeeb477..b26115f37 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -95,6 +95,7 @@ master: datadirs: - /var/lib/etcd/default.etcd - /var/lib/etcd/data.etcd + - /var/lib/rancher/k3s/server/db/etcd confs: - /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yml @@ -105,6 +106,7 @@ master: - /var/snap/microk8s/current/args/etcd - /usr/lib/systemd/system/etcd.service - /var/lib/rancher/rke2/server/db/etcd/config + - /var/lib/rancher/k3s/server/db/etcd/config defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultdatadir: /var/lib/etcd/default.etcd @@ -234,6 +236,7 @@ etcd: datadirs: - /var/lib/etcd/default.etcd - /var/lib/etcd/data.etcd + - /var/lib/rancher/k3s/server/db/etcd confs: - /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yml diff --git a/cfg/k3s-cis-1.23/config.yaml b/cfg/k3s-cis-1.23/config.yaml index 32033c099..d6deb1ce6 100644 --- a/cfg/k3s-cis-1.23/config.yaml +++ b/cfg/k3s-cis-1.23/config.yaml @@ -24,7 +24,8 @@ master: etcd: bins: - containerd - + datadirs: + - /var/lib/rancher/k3s/server/db/etcd node: components: - kubelet diff --git a/cfg/k3s-cis-1.23/etcd.yaml b/cfg/k3s-cis-1.23/etcd.yaml index 7c36533ac..54cfd0816 100644 --- a/cfg/k3s-cis-1.23/etcd.yaml +++ b/cfg/k3s-cis-1.23/etcd.yaml @@ -10,15 +10,13 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. @@ -30,14 +28,13 @@ groups: - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -50,15 +47,13 @@ groups: - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "grep 'auto-tls' $etcdconf" + audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" compare: op: eq value: false @@ -70,15 +65,13 @@ groups: - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -91,14 +84,13 @@ groups: - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -111,15 +103,13 @@ groups: - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "grep 'peer-auto-tls' $etcdconf" + audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false @@ -132,11 +122,10 @@ groups: - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" - audit: "grep 'trusted-ca-file' $etcdconf" + audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] diff --git a/cfg/k3s-cis-1.23/master.yaml b/cfg/k3s-cis-1.23/master.yaml index c5391ba7f..a03bca99c 100644 --- a/cfg/k3s-cis-1.23/master.yaml +++ b/cfg/k3s-cis-1.23/master.yaml @@ -155,7 +155,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd" + audit: "stat -c %a $etcddatadir" tests: test_items: - flag: "700" diff --git a/cfg/k3s-cis-1.24/config.yaml b/cfg/k3s-cis-1.24/config.yaml index 32033c099..cafe7019a 100644 --- a/cfg/k3s-cis-1.24/config.yaml +++ b/cfg/k3s-cis-1.24/config.yaml @@ -24,6 +24,8 @@ master: etcd: bins: - containerd + datadirs: + - /var/lib/rancher/k3s/server/db/etcd node: components: diff --git a/cfg/k3s-cis-1.24/etcd.yaml b/cfg/k3s-cis-1.24/etcd.yaml index fc809fa88..40af92e65 100644 --- a/cfg/k3s-cis-1.24/etcd.yaml +++ b/cfg/k3s-cis-1.24/etcd.yaml @@ -10,15 +10,13 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. @@ -30,14 +28,13 @@ groups: - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -50,15 +47,13 @@ groups: - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "grep 'auto-tls' $etcdconf" + audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" compare: op: eq value: false @@ -70,15 +65,13 @@ groups: - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -91,14 +84,13 @@ groups: - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -111,15 +103,13 @@ groups: - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "grep 'peer-auto-tls' $etcdconf" + audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false @@ -132,11 +122,10 @@ groups: - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "grep 'trusted-ca-file' $etcdconf" + audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] diff --git a/cfg/k3s-cis-1.24/master.yaml b/cfg/k3s-cis-1.24/master.yaml index 0776aac61..6af44c7a5 100644 --- a/cfg/k3s-cis-1.24/master.yaml +++ b/cfg/k3s-cis-1.24/master.yaml @@ -155,7 +155,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "stat -c %a /var/lib/rancher/k3s/server/db/etcd" + audit: "stat -c %a $etcddatadir" tests: test_items: - flag: "700" diff --git a/cfg/k3s-cis-1.7/config.yaml b/cfg/k3s-cis-1.7/config.yaml index 816af1e8e..e9574b035 100644 --- a/cfg/k3s-cis-1.7/config.yaml +++ b/cfg/k3s-cis-1.7/config.yaml @@ -31,7 +31,8 @@ master: etcd: bins: - containerd - + datadirs: + - /var/lib/rancher/k3s/server/db/etcd node: components: - kubelet diff --git a/cfg/k3s-cis-1.7/etcd.yaml b/cfg/k3s-cis-1.7/etcd.yaml index dd63cccc8..d29818148 100644 --- a/cfg/k3s-cis-1.7/etcd.yaml +++ b/cfg/k3s-cis-1.7/etcd.yaml @@ -10,15 +10,13 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "grep -A 5 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. @@ -30,14 +28,13 @@ groups: - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "grep -A 5 'client-transport-security' $etcdconf | grep 'client-cert-auth'" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -50,15 +47,13 @@ groups: - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "grep 'auto-tls' $etcdconf | true" + audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" compare: op: eq value: false @@ -70,15 +65,13 @@ groups: - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "grep -A 5 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -91,14 +84,13 @@ groups: - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "grep -A 5 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -111,15 +103,13 @@ groups: - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "grep 'peer-auto-tls' $etcdconf | true" + audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false @@ -132,11 +122,10 @@ groups: - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "grep 'trusted-ca-file' $etcdconf" + audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test]