Fix K3s 2.X checks and other minor cleanup (rancher#228)

* Fix K3s 4.X checks to automated Signed-off-by: Derek Nola <[email protected]> * Fix audits and remediations for K3s 2.X checks - Simplify the check_for_k3s_etch.sh script Signed-off-by: Derek Nola <[email protected]> * Remove extra period and the Signed-off-by: Derek Nola <[email protected]> * Follow standard yaml list indentation Signed-off-by: Derek Nola <[email protected]> * Fix typo Signed-off-by: Derek Nola <[email protected]> * Corrected file name in K3s 4.2.3 Signed-off-by: Derek Nola <[email protected]> * Convert automated (hardened) checks to scored. Signed-off-by: Derek Nola <[email protected]> * Fix typos Signed-off-by: Derek Nola <[email protected]> * Remove check_for_k3s_etcd.sh Signed-off-by: Derek Nola <[email protected]> --------- Signed-off-by: Derek Nola <[email protected]>
dereknola · Aug 9, 2024 · 07c8b80 · 07c8b80
1 parent af63378
commit 07c8b80
Show file tree

Hide file tree

Showing 39 changed files with 1,051 additions and 1,122 deletions.
diff --git a/package/Dockerfile b/package/Dockerfile
@@ -126,7 +126,6 @@ COPY package/run.sh \
     package/helper_scripts/check_for_network_policies.sh \
     package/helper_scripts/check_for_default_sa.sh \
     package/helper_scripts/check_for_default_ns.sh \
-    package/helper_scripts/check_for_k3s_etcd.sh \
     package/helper_scripts/check_for_rke2_network_policies.sh \
     package/helper_scripts/check_for_rke2_cni_net_policy_support.sh \
     package/helper_scripts/check_cafile_permissions.sh \

diff --git a/package/cfg/config.yaml b/package/cfg/config.yaml
@@ -81,6 +81,7 @@ master:
       - /etc/etcd/etcd.conf
       - /var/snap/etcd/common/etcd.conf.yml
       - /var/lib/rancher/rke2/server/db/etcd/config
+      - /var/lib/rancher/k3s/server/db/etcd/config
     defaultconf: /etc/kubernetes/manifests/etcd.yaml
 
   flanneld:

diff --git a/package/cfg/k3s-cis-1.23-hardened/etcd.yaml b/package/cfg/k3s-cis-1.23-hardened/etcd.yaml
@@ -10,137 +10,135 @@ groups:
     checks:
       - id: 2.1
         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.1"
+        audit_config: "cat $etcdconf"
         tests:
           bin_op: and
           test_items:
-            - flag: "cert-file"
-              env: "ETCD_CERT_FILE"
-              set: true
-            - flag: "key-file"
-              env: "ETCD_KEY_FILE"
-              set: true
+            - path: "{.client-transport-security.cert-file}"
+              compare:
+                op: eq
+                value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt"
+            - path: "{.client-transport-security.key-file}"
+              compare:
+                op: eq
+                value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key"
         remediation: |
-          Follow the etcd service documentation and configure TLS encryption.
-          Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
-          on the master node and set the below parameters.
-          --cert-file=</path/to/ca-file>
-          --key-file=</path/to/key-file>
-        scored: true
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s generates cert and key files for etcd.
+          These are located in /var/lib/rancher/k3s/server/tls/etcd/.
+          If this check fails, ensure that the configuration file $etcdconf
+          has not been modified to use custom cert and key files.
+        scored: false
 
       - id: 2.2
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.2"
+        audit_config: "cat $etcdconf"
         tests:
-          bin_op: or
           test_items:
-            - flag: "--client-cert-auth"
-              set: true
-            - flag: "client-cert-auth"
-              env: "ETCD_CLIENT_CERT_AUTH"
+            - path: "{.client-transport-security.client-cert-auth}"
               compare:
                 op: eq
                 value: true
         remediation: |
-          Edit the etcd pod specification file $etcdconf on the master
-          node and set the below parameter.
-          --client-cert-auth="true"
-        scored: true
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.
+          If this check fails, ensure that the configuration file $etcdconf
+          has not been modified to disable client certificate authentication.
+        scored: false
 
       - id: 2.3
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.3"
+        audit_config: "cat $etcdconf"
         tests:
           bin_op: or
           test_items:
-            - flag: "--auto-tls"
-              env: "ETCD_AUTO_TLS"
-              set: false
-            - flag: "--auto-tls"
-              env: "ETCD_AUTO_TLS"
+            - path: "{.client-transport-security.auto-tls}"
               compare:
                 op: eq
                 value: false
+            - path: "{.client-transport-security.auto-tls}"
+              set: false
         remediation: |
-          Edit the etcd pod specification file $etcdconf on the master
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s does not set the --auto-tls parameter.
+          If this check fails, edit the etcd pod specification file $etcdconf on the master
           node and either remove the --auto-tls parameter or set it to false.
-            --auto-tls=false
-        scored: true
+          client-transport-security:
+            auto-tls: false
+        scored: false
 
       - id: 2.4
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.4"
+        audit_config: "cat $etcdconf"
         tests:
           bin_op: and
           test_items:
-            - flag: "cert-file"
-              env: "ETCD_PEER_CERT_FILE"
-              set: true
-            - flag: "key-file"
-              env: "ETCD_PEER_KEY_FILE"
-              set: true
+            - path: "{.peer-transport-security.cert-file}"
+              compare:
+                op: eq
+                value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt"
+            - path: "{.peer-transport-security.key-file}"
+              compare:
+                op: eq
+                value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key"
         remediation: |
-          Follow the etcd service documentation and configure peer TLS encryption as appropriate
-          for your etcd cluster.
-          Then, edit the etcd pod specification file $etcdconf on the
-          master node and set the below parameters.
-          --peer-client-file=</path/to/peer-cert-file>
-          --peer-key-file=</path/to/peer-key-file>
-        scored: true
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s generates peer cert and key files for etcd.
+          These are located in /var/lib/rancher/k3s/server/tls/etcd/.
+          If this check fails, ensure that the configuration file $etcdconf
+          has not been modified to use custom peer cert and key files.
+        scored: false
 
       - id: 2.5
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.5"
+        audit_config: "cat $etcdconf"
         tests:
-          bin_op: or
           test_items:
-            - flag: "--client-cert-auth"
-              set: true
-            - flag: "client-cert-auth"
-              env: "ETCD_PEER_CLIENT_CERT_AUTH"
+            - path: "{.peer-transport-security.client-cert-auth}"
               compare:
                 op: eq
                 value: true
         remediation: |
-          Edit the etcd pod specification file $etcdconf on the master
-          node and set the below parameter.
-          --peer-client-cert-auth=true
-        scored: true
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.
+          If this check fails, ensure that the configuration file $etcdconf
+          has not been modified to disable peer client certificate authentication.
+        scored: false
 
       - id: 2.6
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
-        audit: "check_for_k3s_etcd.sh 2.6"
+        audit_config: "cat $etcdconf"
         tests:
           bin_op: or
           test_items:
-            - flag: "--peer-auto-tls"
-              env: "ETCD_PEER_AUTO_TLS"
-              set: false
-            - flag: "--peer-auto-tls"
-              env: "ETCD_PEER_AUTO_TLS"
+            - path: "{.peer-transport-security.auto-tls}"
               compare:
                 op: eq
                 value: false
-              set: true
+            - path: "{.peer-transport-security.auto-tls}"
+              set: false
         remediation: |
-          Edit the etcd pod specification file $etcdconf on the master
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.
+          If this check fails, edit the etcd pod specification file $etcdconf on the master
           node and either remove the --peer-auto-tls parameter or set it to false.
-          --peer-auto-tls=false
-        scored: true
+          peer-transport-security:
+            auto-tls: false
+        scored: false
 
       - id: 2.7
-        text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
-        audit: "check_for_k3s_etcd.sh 2.7"
+        text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
+        audit_config: "cat $etcdconf"
         tests:
           test_items:
-            - flag: "trusted-ca-file"
-              env: "ETCD_TRUSTED_CA_FILE"
-              set: true
+            - path: "{.peer-transport-security.trusted-ca-file}"
+              compare:
+                op: eq
+                value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt"
         remediation: |
-          [Manual test]
-          Follow the etcd documentation and create a dedicated certificate authority setup for the
-          etcd service.
-          Then, edit the etcd pod specification file $etcdconf on the
-          master node and set the below parameter.
-          --trusted-ca-file=</path/to/ca-file>
+          If running on with sqlite or a external DB, etcd checks are Not Applicable.
+          When running with embedded-etcd, K3s generates a unique certificate authority for etcd.
+          This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.
+          If this check fails, ensure that the configuration file $etcdconf
+          has not been modified to use a shared certificate authority.
         scored: false
diff --git a/package/cfg/k3s-cis-1.23-hardened/master.yaml b/package/cfg/k3s-cis-1.23-hardened/master.yaml
@@ -837,7 +837,7 @@ groups:
           If a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.
           If this check fails, remove any custom configuration around `tls-cipher-suites` or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:
           kube-apiserver-arg:
-          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+            - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
         scored: true
 
   - id: 1.3

diff --git a/package/cfg/k3s-cis-1.23-hardened/policies.yaml b/package/cfg/k3s-cis-1.23-hardened/policies.yaml
@@ -152,8 +152,8 @@ groups:
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
         type: "manual"
         remediation: |
-          Review the use of capabilites in applications running on your cluster. Where a namespace
-          contains applicaions which do not require any Linux capabities to operate consider adding
+          Review the use of capabilities in applications running on your cluster. Where a namespace
+          contains applications which do not require any Linux capabities to operate consider adding
           a PSP which forbids the admission of containers which do not drop all capabilities.
         scored: false