Overhaul RKE2 1.XX Checks (rancher#231)

* Fix spacing in rke2-cis-1.8

Signed-off-by: Derek Nola <[email protected]>

* Correct audits and remediation for RKE2 1.X checks

Signed-off-by: Derek Nola <[email protected]>

* Remove duplicate etcd master checks

Signed-off-by: Derek Nola <[email protected]>

* Fix typos

Signed-off-by: Derek Nola <[email protected]>

* Change K3s 1.1.9 check to scored

Signed-off-by: Derek Nola <[email protected]>

---------

Signed-off-by: Derek Nola <[email protected]>

package/cfg/k3s-cis-1.24-hardened/master.yaml

@@ -131,7 +131,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

package/cfg/k3s-cis-1.24-permissive/master.yaml

@@ -131,7 +131,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"

package/cfg/k3s-cis-1.7-hardened/master.yaml

@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

package/cfg/k3s-cis-1.7-permissive/master.yaml

@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

package/cfg/k3s-cis-1.8-hardened/master.yaml

@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

package/cfg/k3s-cis-1.8-permissive/master.yaml

@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

package/cfg/rke2-cis-1.23-hardened/policies.yaml

@@ -208,8 +208,8 @@ groups:
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
         type: "manual"
         remediation: |
-          Review the use of capabilites in applications running on your cluster. Where a namespace
-          contains applicaions which do not require any Linux capabities to operate consider adding
+          Review the use of capabilities in applications running on your cluster. Where a namespace
+          contains applications which do not require any Linux capabities to operate consider adding
           a PSP which forbids the admission of containers which do not drop all capabilities.
         scored: false
 

package/cfg/rke2-cis-1.23-permissive/policies.yaml

@@ -152,8 +152,8 @@ groups:
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
         type: "manual"
         remediation: |
-          Review the use of capabilites in applications running on your cluster. Where a namespace
-          contains applicaions which do not require any Linux capabities to operate consider adding
+          Review the use of capabilities in applications running on your cluster. Where a namespace
+          contains applications which do not require any Linux capabities to operate consider adding
           a PSP which forbids the admission of containers which do not drop all capabilities.
         scored: false
 

package/cfg/rke2-cis-1.24-hardened/etcd.yaml

@@ -5,71 +5,6 @@ id: 2
 text: "Etcd Node Configuration"
 type: "etcd"
 groups:
-  - id: 1.1
-    text: "Master Node Configuration Files"
-    checks:
-      - id: 1.1.7
-        text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
-        tests:
-          test_items:
-            - flag: "644"
-              compare:
-                op: eq
-                value: "644"
-              set: true
-        remediation: |
-          Run the below command (based on the file location on your system) on the control plane node.
-          For example,
-          chmod 644 $etcdconf
-        scored: true
-
-      - id: 1.1.8
-        text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
-        tests:
-          test_items:
-            - flag: "root:root"
-              compare:
-                op: eq
-                value: "root:root"
-              set: true
-        remediation: |
-          Run the below command (based on the file location on your system) on the control plane node.
-          For example,
-          chown root:root $etcdconf
-        scored: true
-
-      - id: 1.1.11
-        text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "stat -c permissions=%a $etcddatadir"
-        tests:
-          test_items:
-            - flag: "permissions"
-              compare:
-                op: bitmask
-                value: "700"
-        remediation: |
-          On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-          from the command 'ps -ef | grep etcd'.
-          Run the below command (based on the etcd data directory found above). For example,
-          chmod 700 $etcddatadir
-        scored: true
-
-      - id: 1.1.12
-        text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
-        audit: "stat -c %U:%G $etcddatadir"
-        tests:
-          test_items:
-            - flag: "etcd:etcd"
-              set: true
-        remediation: |
-          On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-          from the command 'ps -ef | grep etcd'.
-          Run the below command (based on the etcd data directory found above).
-          For example, chown etcd:etcd /var/lib/etcd
-        scored: true
-
   - id: 2
     text: "Etcd Node Configuration"
     checks: