Skip to content

Commit

Permalink
Merge pull request rancher#234 from dereknola/rke2_2x
Browse files Browse the repository at this point in the history 
Fix audits and remediation for RKE2 2.X Checks
  • Loading branch information
@andypitcher
andypitcher authored Aug 21, 2024
2 parents cd35f2e + e2e1768 commit 0e83d6c
Show file tree
Hide file tree
Showing 17 changed files with 565 additions and 398 deletions.
4 changes: 2 additions & 2 deletions package/cfg/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,8 @@ master:
- /etc/kubernetes/manifests/etcd.manifest
- /etc/etcd/etcd.conf
- /var/snap/etcd/common/etcd.conf.yml
- /var/lib/rancher/rke2/server/db/etcd/config
- /var/lib/rancher/k3s/server/db/etcd/config
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
defaultconf: /etc/kubernetes/manifests/etcd.yaml

flanneld:
Expand Down Expand Up @@ -186,8 +186,8 @@ etcd:
- /etc/kubernetes/manifests/etcd.manifest
- /etc/etcd/etcd.conf
- /var/snap/etcd/common/etcd.conf.yml
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
- /var/lib/rancher/k3s/server/db/etcd/config
- /var/lib/rancher/rke2/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml

controlplane:
Expand Down
12 changes: 4 additions & 8 deletions package/cfg/k3s-cis-1.8-hardened/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,21 +136,17 @@ groups:
scored: true

- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
type: skip
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Not Applicable.
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
scored: false
chown root:root /var/lib/cni/networks/<filename>
scored: true

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
Expand Down
12 changes: 4 additions & 8 deletions package/cfg/k3s-cis-1.8-permissive/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,21 +136,17 @@ groups:
scored: true

- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
type: skip
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Not Applicable.
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
scored: false
chown root:root /var/lib/cni/networks/<filename>
scored: true

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
Expand Down
2 changes: 0 additions & 2 deletions package/cfg/rke2-cis-1.23-hardened/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,6 @@ master:
etcd:
bins:
- etcd
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
datadirs:
- /var/lib/rancher/rke2/server/db/etcd
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
Expand Down
2 changes: 0 additions & 2 deletions package/cfg/rke2-cis-1.23-permissive/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,6 @@ master:
etcd:
bins:
- etcd
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
datadirs:
- /var/lib/rancher/rke2/server/db/etcd
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
Expand Down
35 changes: 21 additions & 14 deletions package/cfg/rke2-cis-1.24-hardened/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,24 +37,31 @@ master:
etcd:
bins:
- etcd
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
datadirs:
- /var/lib/rancher/rke2/server/db/etcd
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml

node:
components:
- kubelet
- proxy
etcd:
components:
- etcd

kubelet:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt
etcd:
bins:
- etcd
defaultconf: /var/lib/rancher/rke2/server/db/etcd/config

proxy:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig
node:
components:
- kubelet
- proxy

kubelet:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt

proxy:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig

policies:
components:
- policies
policies:
components:
- policies
125 changes: 77 additions & 48 deletions package/cfg/rke2-cis-1.24-hardened/etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,48 +5,59 @@ id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
# When possible, we check the flag, the environment variable, and the configuration file
# kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test,
# we only check the config path.
- id: 2
text: "Etcd Node Configuration"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit_config: "cat $etcdconf"
tests:
bin_op: and
test_items:
- flag: "--cert-file"
env: "ETCD_CERT_FILE"
- flag: "--key-file"
env: "ETCD_KEY_FILE"
- path: "{.client-transport-security.cert-file}"
compare:
op: eq
value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt"
- path: "{.client-transport-security.key-file}"
compare:
op: eq
value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key"
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
By default, RKE2 generates cert and key files for etcd.
These are located in /var/lib/rancher/rke2/server/tls/etcd/.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use custom cert and key files.
scored: true
type: "skip"

- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit: "/bin/ps -fC $etcdbin"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
type: "skip"
- path: "{.client-transport-security.client-cert-auth}"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
By default, RKE2 sets the --client-cert-auth parameter to true.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to disable client certificate authentication.
scored: true

- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit: "/bin/ps -fC $etcdbin"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
Expand All @@ -58,52 +69,65 @@ groups:
compare:
op: eq
value: false
- path: "{.client-transport-security.auto-tls}"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
By default, RKE2 does not set the --auto-tls parameter.
If this check fails, edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
client-transport-security:
auto-tls: false
scored: true

- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit_config: "cat $etcdconf"
tests:
bin_op: and
test_items:
- flag: "--peer-cert-file"
env: "ETCD_PEER_CERT_FILE"
- flag: "--peer-key-file"
env: "ETCD_PEER_KEY_FILE"
- path: "{.peer-transport-security.cert-file}"
compare:
op: eq
value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt"
- path: "{.peer-transport-security.key-file}"
compare:
op: eq
value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key"
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
By default, RKE2 generates peer cert and key files for etcd.
These are located in /var/lib/rancher/rke2/server/tls/etcd/.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use custom peer cert and key files.
scored: true
type: skip

- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit: "/bin/ps -fC $etcdbin"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
- flag: "--peer-client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
- path: "{.peer-transport-security.client-cert-auth}"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
By default, RKE2 sets the --peer-cert-auth parameter to true.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to disable peer client certificate authentication.
scored: true
type: skip

- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit: "/bin/ps -fC $etcdbin"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
Expand All @@ -115,16 +139,23 @@ groups:
compare:
op: eq
value: false
set: true
- path: "{.peer-transport-security.auto-tls}"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
By default, RKE2 does not set the --peer-auto-tls parameter.
If this check fails, edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
peer-transport-security:
auto-tls: false
scored: true

- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config"
audit: "/bin/ps -fC $etcdbin"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
Expand All @@ -136,10 +167,8 @@ groups:
value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt"
set: true
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false
By default, RKE2 generates a unique certificate authority for etcd.
This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use a shared certificate authority.
scored: true
35 changes: 21 additions & 14 deletions package/cfg/rke2-cis-1.24-permissive/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,24 +37,31 @@ master:
etcd:
bins:
- etcd
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
datadirs:
- /var/lib/rancher/rke2/server/db/etcd
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml

node:
components:
- kubelet
- proxy
etcd:
components:
- etcd

kubelet:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt
etcd:
bins:
- etcd
defaultconf: /var/lib/rancher/rke2/server/db/etcd/config

proxy:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig
node:
components:
- kubelet
- proxy

kubelet:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt

proxy:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig

policies:
components:
- policies
policies:
components:
- policies
Loading

0 comments on commit 0e83d6c

Please sign in to comment.