Minor fixes for K3s checks (rancher#232)

* Fix check for K3s 4.1.9 and 4.1.10

Signed-off-by: Derek Nola <[email protected]>

* Set correct K3s 1.1.9 and 1.1.10 for each version of scan

Signed-off-by: Derek Nola <[email protected]>

* Spacing nit

Signed-off-by: Derek Nola <[email protected]>

---------

Signed-off-by: Derek Nola <[email protected]>
Co-authored-by: Andy Pitcher <[email protected]>

package/cfg/config.yaml

@@ -126,7 +126,6 @@ node:
       - "/etc/kubernetes/kubelet-kubeconfig"
       - "/etc/kubernetes/ssl/kubecfg-kube-node.yaml"
       - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"
-      - "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
       - "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
     confs:
       - "/var/lib/kubelet/config.yaml"
@@ -144,7 +143,6 @@ node:
       - "/etc/systemd/system/kubelet.service"
       - "/lib/systemd/system/kubelet.service"
       - "/etc/systemd/system/snap.kubelet.daemon.service"
-      - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"
     defaultconf: "/var/lib/kubelet/config.yaml"
     defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
     defaultkubeconfig: "/etc/kubernetes/kubelet.conf"

package/cfg/k3s-cis-1.23-hardened/node.yaml

@@ -152,8 +152,8 @@ groups:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
   - id: 4.2

package/cfg/k3s-cis-1.23-permissive/node.yaml

@@ -152,8 +152,8 @@ groups:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
   - id: 4.2

package/cfg/k3s-cis-1.24-hardened/master.yaml

@@ -119,6 +119,7 @@ groups:
       - id: 1.1.9
         text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
         audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
+        type: "skip"
         use_multiple_values: true
         tests:
           test_items:
@@ -127,10 +128,8 @@ groups:
                 op: bitmask
                 value: "600"
         remediation: |
-          By default, K3s sets the CNI file permissions to 600.
-          Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
-          If you modify your CNI configuration, ensure that the permissions are set to 600.
-          For example, chmod 600 /var/lib/cni/networks/<filename>
+          Not Applicable.
+          The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
         scored: true
 
       - id: 1.1.10
@@ -144,9 +143,8 @@ groups:
           test_items:
             - flag: "root:root"
         remediation: |
-          Run the below command (based on the file location on your system) on the control plane node.
-          For example,
-          chown root:root <path/to/cni/files>
+          Not Applicable.
+          The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
         scored: false
 
       - id: 1.1.11

package/cfg/k3s-cis-1.24-hardened/node.yaml

@@ -127,15 +127,16 @@ groups:
       - id: 4.1.9
         text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"
         audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+        type: "skip"
         tests:
           test_items:
             - flag: "permissions"
               compare:
                 op: bitmask
                 value: "600"
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chmod 600 $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
       - id: 4.1.10
@@ -146,8 +147,8 @@ groups:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
   - id: 4.2

package/cfg/k3s-cis-1.24-permissive/master.yaml

@@ -119,6 +119,7 @@ groups:
       - id: 1.1.9
         text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
         audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
+        type: "skip"
         use_multiple_values: true
         tests:
           test_items:
@@ -127,14 +128,12 @@ groups:
                 op: bitmask
                 value: "600"
         remediation: |
-          By default, K3s sets the CNI file permissions to 600.
-          Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
-          If you modify your CNI configuration, ensure that the permissions are set to 600.
-          For example, chmod 600 /var/lib/cni/networks/<filename>
+          Not Applicable.
+          The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
         scored: true
 
       - id: 1.1.10
-        text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
+        text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
         type: "skip"
         audit: |
           ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
@@ -144,11 +143,11 @@ groups:
           test_items:
             - flag: "root:root"
         remediation: |
-          Run the below command (based on the file location on your system) on the control plane node.
-          For example,
-          chown root:root <path/to/cni/files>
+          Not Applicable.
+          The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
         scored: false
 
+
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
         audit: |

package/cfg/k3s-cis-1.24-permissive/node.yaml

@@ -127,15 +127,16 @@ groups:
       - id: 4.1.9
         text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"
         audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+        type: "skip"
         tests:
           test_items:
             - flag: "permissions"
               compare:
                 op: bitmask
                 value: "600"
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chmod 600 $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
       - id: 4.1.10
@@ -146,8 +147,8 @@ groups:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
   - id: 4.2

package/cfg/k3s-cis-1.7-hardened/master.yaml

@@ -119,7 +119,7 @@ groups:
         scored: true
 
       - id: 1.1.9
-        text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
+        text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"
         audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
         use_multiple_values: true
         tests:
@@ -129,28 +129,24 @@ groups:
                 op: bitmask
                 value: "600"
         remediation: |
-          By default, K3s sets the CNI file permissions to 600.
+          By default, K3s sets the CNI file permissions to 644.
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
         scored: true
 
       - id: 1.1.10
-        text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
-        type: skip
-        audit: |
-          ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
-          find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
+        text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
+        audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
         use_multiple_values: true
         tests:
           test_items:
             - flag: "root:root"
         remediation: |
-          Not Applicable.
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
-          chown root:root <path/to/cni/files>
-        scored: false
+          chown root:root /var/lib/cni/networks/<filename>
+        scored: true
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"

package/cfg/k3s-cis-1.7-hardened/node.yaml

@@ -143,8 +143,8 @@ groups:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
           Not Applicable.
           All configuration is passed in as arguments at container run time.
         scored: true
@@ -336,8 +336,8 @@ groups:
          If for some reason you need to provide your own certificate and key, you can set the
          the below parameters in the K3s config file /etc/rancher/k3s/config.yaml.
          kubelet-arg:
-         - "tls-cert-file=<path/to/tls-cert-file>"
-         - "tls-private-key-file=<path/to/tls-private-key-file>"
+           - "tls-cert-file=<path/to/tls-cert-file>"
+           - "tls-private-key-file=<path/to/tls-private-key-file>"
         scored: true
 
       - id: 4.2.10

package/cfg/k3s-cis-1.7-permissive/master.yaml

@@ -119,7 +119,7 @@ groups:
         scored: true
 
       - id: 1.1.9
-        text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
+        text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"
         audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
         use_multiple_values: true
         tests:
@@ -129,28 +129,24 @@ groups:
                 op: bitmask
                 value: "600"
         remediation: |
-          By default, K3s sets the CNI file permissions to 600.
+          By default, K3s sets the CNI file permissions to 644.
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
         scored: true
 
       - id: 1.1.10
-        text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
-        type: skip
-        audit: |
-          ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
-          find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
+        text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
+        audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
         use_multiple_values: true
         tests:
           test_items:
             - flag: "root:root"
         remediation: |
-          Not Applicable.
           Run the below command (based on the file location on your system) on the control plane node.
           For example,
-          chown root:root <path/to/cni/files>
-        scored: false
+          chown root:root /var/lib/cni/networks/<filename>
+        scored: true
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"

package/cfg/k3s-cis-1.7-permissive/node.yaml

@@ -131,8 +131,8 @@ groups:
                 op: bitmask
                 value: "600"
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chmod 600 $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
       - id: 4.1.10
@@ -143,8 +143,8 @@ groups:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
           Not Applicable.
           All configuration is passed in as arguments at container run time.
         scored: true

package/cfg/k3s-cis-1.8-hardened/node.yaml

@@ -123,26 +123,28 @@ groups:
       - id: 4.1.9
         text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"
         audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+        type: "skip"
         tests:
           test_items:
             - flag: "permissions"
               compare:
                 op: bitmask
                 value: "600"
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chmod 600 $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
       - id: 4.1.10
         text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)"
         audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
+        type: "skip"
         tests:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
   - id: 4.2

package/cfg/k3s-cis-1.8-permissive/node.yaml

@@ -122,26 +122,28 @@ groups:
       - id: 4.1.9
         text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)"
         audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+        type: "skip"
         tests:
           test_items:
             - flag: "permissions"
               compare:
                 op: bitmask
                 value: "600"
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chmod 600 $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
       - id: 4.1.10
         text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)"
         audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
+        type: "skip"
         tests:
           test_items:
             - flag: root:root
         remediation: |
-          Run the following command (using the config file location identified in the Audit step)
-          chown root:root $kubeletconf
+          Not Applicable.
+          The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime.
         scored: true
 
   - id: 4.2