diff --git a/package/cfg/config.yaml b/package/cfg/config.yaml index d02d768f..1cf13bae 100644 --- a/package/cfg/config.yaml +++ b/package/cfg/config.yaml @@ -126,7 +126,6 @@ node: - "/etc/kubernetes/kubelet-kubeconfig" - "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig" - - "/var/lib/rancher/k3s/server/cred/admin.kubeconfig" - "/var/lib/rancher/k3s/agent/kubelet.kubeconfig" confs: - "/var/lib/kubelet/config.yaml" @@ -144,7 +143,6 @@ node: - "/etc/systemd/system/kubelet.service" - "/lib/systemd/system/kubelet.service" - "/etc/systemd/system/snap.kubelet.daemon.service" - - "/var/lib/rancher/rke2/agent/kubelet.kubeconfig" defaultconf: "/var/lib/kubelet/config.yaml" defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" defaultkubeconfig: "/etc/kubernetes/kubelet.conf" diff --git a/package/cfg/k3s-cis-1.23-hardened/node.yaml b/package/cfg/k3s-cis-1.23-hardened/node.yaml index 95bed421..e7b53e13 100644 --- a/package/cfg/k3s-cis-1.23-hardened/node.yaml +++ b/package/cfg/k3s-cis-1.23-hardened/node.yaml @@ -152,8 +152,8 @@ groups: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.2 diff --git a/package/cfg/k3s-cis-1.23-permissive/node.yaml b/package/cfg/k3s-cis-1.23-permissive/node.yaml index e25cd73a..1e0cd6fa 100644 --- a/package/cfg/k3s-cis-1.23-permissive/node.yaml +++ b/package/cfg/k3s-cis-1.23-permissive/node.yaml @@ -152,8 +152,8 @@ groups: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.2 diff --git a/package/cfg/k3s-cis-1.24-hardened/master.yaml b/package/cfg/k3s-cis-1.24-hardened/master.yaml index cd3be1ab..d910ae8a 100644 --- a/package/cfg/k3s-cis-1.24-hardened/master.yaml +++ b/package/cfg/k3s-cis-1.24-hardened/master.yaml @@ -119,6 +119,7 @@ groups: - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a + type: "skip" use_multiple_values: true tests: test_items: @@ -127,10 +128,8 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. - Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. - If you modify your CNI configuration, ensure that the permissions are set to 600. - For example, chmod 600 /var/lib/cni/networks/ + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: true - id: 1.1.10 @@ -144,9 +143,8 @@ groups: test_items: - flag: "root:root" remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: false - id: 1.1.11 diff --git a/package/cfg/k3s-cis-1.24-hardened/node.yaml b/package/cfg/k3s-cis-1.24-hardened/node.yaml index 87799a1a..019621ca 100644 --- a/package/cfg/k3s-cis-1.24-hardened/node.yaml +++ b/package/cfg/k3s-cis-1.24-hardened/node.yaml @@ -127,6 +127,7 @@ groups: - id: 4.1.9 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' + type: "skip" tests: test_items: - flag: "permissions" @@ -134,8 +135,8 @@ groups: op: bitmask value: "600" remediation: | - Run the following command (using the config file location identified in the Audit step) - chmod 600 $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.1.10 @@ -146,8 +147,8 @@ groups: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.2 diff --git a/package/cfg/k3s-cis-1.24-permissive/master.yaml b/package/cfg/k3s-cis-1.24-permissive/master.yaml index 2179c195..5a9269f8 100644 --- a/package/cfg/k3s-cis-1.24-permissive/master.yaml +++ b/package/cfg/k3s-cis-1.24-permissive/master.yaml @@ -119,6 +119,7 @@ groups: - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a + type: "skip" use_multiple_values: true tests: test_items: @@ -127,14 +128,12 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. - Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. - If you modify your CNI configuration, ensure that the permissions are set to 600. - For example, chmod 600 /var/lib/cni/networks/ + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: true - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" type: "skip" audit: | ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G @@ -144,11 +143,11 @@ groups: test_items: - flag: "root:root" remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: false + - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" audit: | diff --git a/package/cfg/k3s-cis-1.24-permissive/node.yaml b/package/cfg/k3s-cis-1.24-permissive/node.yaml index 9b598710..b67f67a5 100644 --- a/package/cfg/k3s-cis-1.24-permissive/node.yaml +++ b/package/cfg/k3s-cis-1.24-permissive/node.yaml @@ -127,6 +127,7 @@ groups: - id: 4.1.9 text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' + type: "skip" tests: test_items: - flag: "permissions" @@ -134,8 +135,8 @@ groups: op: bitmask value: "600" remediation: | - Run the following command (using the config file location identified in the Audit step) - chmod 600 $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.1.10 @@ -146,8 +147,8 @@ groups: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.2 diff --git a/package/cfg/k3s-cis-1.7-hardened/master.yaml b/package/cfg/k3s-cis-1.7-hardened/master.yaml index 819026d3..998db52e 100644 --- a/package/cfg/k3s-cis-1.7-hardened/master.yaml +++ b/package/cfg/k3s-cis-1.7-hardened/master.yaml @@ -119,7 +119,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" + text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a use_multiple_values: true tests: @@ -129,28 +129,24 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. + By default, K3s sets the CNI file permissions to 644. Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. If you modify your CNI configuration, ensure that the permissions are set to 600. For example, chmod 600 /var/lib/cni/networks/ scored: true - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - type: skip - audit: | - ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G - find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: - flag: "root:root" remediation: | - Not Applicable. Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root - scored: false + chown root:root /var/lib/cni/networks/ + scored: true - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" diff --git a/package/cfg/k3s-cis-1.7-hardened/node.yaml b/package/cfg/k3s-cis-1.7-hardened/node.yaml index 86437e36..bbf9eda9 100644 --- a/package/cfg/k3s-cis-1.7-hardened/node.yaml +++ b/package/cfg/k3s-cis-1.7-hardened/node.yaml @@ -143,8 +143,8 @@ groups: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. Not Applicable. All configuration is passed in as arguments at container run time. scored: true @@ -336,8 +336,8 @@ groups: If for some reason you need to provide your own certificate and key, you can set the the below parameters in the K3s config file /etc/rancher/k3s/config.yaml. kubelet-arg: - - "tls-cert-file=" - - "tls-private-key-file=" + - "tls-cert-file=" + - "tls-private-key-file=" scored: true - id: 4.2.10 diff --git a/package/cfg/k3s-cis-1.7-permissive/master.yaml b/package/cfg/k3s-cis-1.7-permissive/master.yaml index 74a5efb1..24cb5bb3 100644 --- a/package/cfg/k3s-cis-1.7-permissive/master.yaml +++ b/package/cfg/k3s-cis-1.7-permissive/master.yaml @@ -119,7 +119,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" + text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a use_multiple_values: true tests: @@ -129,28 +129,24 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. + By default, K3s sets the CNI file permissions to 644. Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. If you modify your CNI configuration, ensure that the permissions are set to 600. For example, chmod 600 /var/lib/cni/networks/ scored: true - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - type: skip - audit: | - ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G - find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: - flag: "root:root" remediation: | - Not Applicable. Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root - scored: false + chown root:root /var/lib/cni/networks/ + scored: true - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" diff --git a/package/cfg/k3s-cis-1.7-permissive/node.yaml b/package/cfg/k3s-cis-1.7-permissive/node.yaml index 5f486891..8d4e537c 100644 --- a/package/cfg/k3s-cis-1.7-permissive/node.yaml +++ b/package/cfg/k3s-cis-1.7-permissive/node.yaml @@ -131,8 +131,8 @@ groups: op: bitmask value: "600" remediation: | - Run the following command (using the config file location identified in the Audit step) - chmod 600 $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.1.10 @@ -143,8 +143,8 @@ groups: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. Not Applicable. All configuration is passed in as arguments at container run time. scored: true diff --git a/package/cfg/k3s-cis-1.8-hardened/node.yaml b/package/cfg/k3s-cis-1.8-hardened/node.yaml index e24ffd02..7357baae 100644 --- a/package/cfg/k3s-cis-1.8-hardened/node.yaml +++ b/package/cfg/k3s-cis-1.8-hardened/node.yaml @@ -123,6 +123,7 @@ groups: - id: 4.1.9 text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' + type: "skip" tests: test_items: - flag: "permissions" @@ -130,19 +131,20 @@ groups: op: bitmask value: "600" remediation: | - Run the following command (using the config file location identified in the Audit step) - chmod 600 $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.1.10 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' + type: "skip" tests: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.2 diff --git a/package/cfg/k3s-cis-1.8-permissive/node.yaml b/package/cfg/k3s-cis-1.8-permissive/node.yaml index a8338085..b1715460 100644 --- a/package/cfg/k3s-cis-1.8-permissive/node.yaml +++ b/package/cfg/k3s-cis-1.8-permissive/node.yaml @@ -122,6 +122,7 @@ groups: - id: 4.1.9 text: "Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictive (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' + type: "skip" tests: test_items: - flag: "permissions" @@ -129,19 +130,20 @@ groups: op: bitmask value: "600" remediation: | - Run the following command (using the config file location identified in the Audit step) - chmod 600 $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.1.10 text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' + type: "skip" tests: test_items: - flag: root:root remediation: | - Run the following command (using the config file location identified in the Audit step) - chown root:root $kubeletconf + Not Applicable. + The kubelet is embedded in the k3s process. There is no kubelet config file, all configuration is passed in as arguments at runtime. scored: true - id: 4.2