diff --git a/package/cfg/config.yaml b/package/cfg/config.yaml index 1cf13bae..4e350f05 100644 --- a/package/cfg/config.yaml +++ b/package/cfg/config.yaml @@ -80,8 +80,8 @@ master: - /etc/kubernetes/manifests/etcd.manifest - /etc/etcd/etcd.conf - /var/snap/etcd/common/etcd.conf.yml - - /var/lib/rancher/rke2/server/db/etcd/config - /var/lib/rancher/k3s/server/db/etcd/config + - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml flanneld: @@ -186,8 +186,8 @@ etcd: - /etc/kubernetes/manifests/etcd.manifest - /etc/etcd/etcd.conf - /var/snap/etcd/common/etcd.conf.yml - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml - /var/lib/rancher/k3s/server/db/etcd/config + - /var/lib/rancher/rke2/server/db/etcd/config defaultconf: /etc/kubernetes/manifests/etcd.yaml controlplane: diff --git a/package/cfg/k3s-cis-1.8-hardened/master.yaml b/package/cfg/k3s-cis-1.8-hardened/master.yaml index 55ae4e16..320a6db2 100644 --- a/package/cfg/k3s-cis-1.8-hardened/master.yaml +++ b/package/cfg/k3s-cis-1.8-hardened/master.yaml @@ -136,21 +136,17 @@ groups: scored: true - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - type: skip - audit: | - ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G - find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: - flag: "root:root" remediation: | - Not Applicable. Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root - scored: false + chown root:root /var/lib/cni/networks/ + scored: true - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" diff --git a/package/cfg/k3s-cis-1.8-permissive/master.yaml b/package/cfg/k3s-cis-1.8-permissive/master.yaml index 7a90c1af..cdce4ef4 100644 --- a/package/cfg/k3s-cis-1.8-permissive/master.yaml +++ b/package/cfg/k3s-cis-1.8-permissive/master.yaml @@ -136,21 +136,17 @@ groups: scored: true - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - type: skip - audit: | - ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G - find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: - flag: "root:root" remediation: | - Not Applicable. Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root - scored: false + chown root:root /var/lib/cni/networks/ + scored: true - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" diff --git a/package/cfg/rke2-cis-1.23-hardened/config.yaml b/package/cfg/rke2-cis-1.23-hardened/config.yaml index d775e982..cfc3f971 100644 --- a/package/cfg/rke2-cis-1.23-hardened/config.yaml +++ b/package/cfg/rke2-cis-1.23-hardened/config.yaml @@ -37,8 +37,6 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml diff --git a/package/cfg/rke2-cis-1.23-permissive/config.yaml b/package/cfg/rke2-cis-1.23-permissive/config.yaml index d775e982..cfc3f971 100644 --- a/package/cfg/rke2-cis-1.23-permissive/config.yaml +++ b/package/cfg/rke2-cis-1.23-permissive/config.yaml @@ -37,8 +37,6 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml diff --git a/package/cfg/rke2-cis-1.24-hardened/config.yaml b/package/cfg/rke2-cis-1.24-hardened/config.yaml index d775e982..290e0425 100644 --- a/package/cfg/rke2-cis-1.24-hardened/config.yaml +++ b/package/cfg/rke2-cis-1.24-hardened/config.yaml @@ -37,24 +37,31 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml - node: - components: - - kubelet - - proxy +etcd: + components: + - etcd - kubelet: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig - defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + etcd: + bins: + - etcd + defaultconf: /var/lib/rancher/rke2/server/db/etcd/config - proxy: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig +node: + components: + - kubelet + - proxy + + kubelet: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig + defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + + proxy: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig - policies: - components: - - policies +policies: + components: + - policies diff --git a/package/cfg/rke2-cis-1.24-hardened/etcd.yaml b/package/cfg/rke2-cis-1.24-hardened/etcd.yaml index 7c845db7..a8b36cf3 100644 --- a/package/cfg/rke2-cis-1.24-hardened/etcd.yaml +++ b/package/cfg/rke2-cis-1.24-hardened/etcd.yaml @@ -5,48 +5,59 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: + # When possible, we check the flag, the environment variable, and the configuration file + # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, + # we only check the config path. - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--cert-file" - env: "ETCD_CERT_FILE" - - flag: "--key-file" - env: "ETCD_KEY_FILE" + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, RKE2 generates cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - type: "skip" - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true - type: "skip" + - path: "{.client-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, RKE2 sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -58,52 +69,65 @@ groups: compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--peer-cert-file" - env: "ETCD_PEER_CERT_FILE" - - flag: "--peer-key-file" - env: "ETCD_PEER_KEY_FILE" + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, RKE2 generates peer cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - type: skip - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true + - path: "{.peer-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, RKE2 sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - type: skip - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -115,16 +139,23 @@ groups: compare: op: eq value: false + set: true + - path: "{.peer-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" - audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -136,10 +167,8 @@ groups: value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" set: true remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, RKE2 generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/rke2-cis-1.24-permissive/config.yaml b/package/cfg/rke2-cis-1.24-permissive/config.yaml index d775e982..290e0425 100644 --- a/package/cfg/rke2-cis-1.24-permissive/config.yaml +++ b/package/cfg/rke2-cis-1.24-permissive/config.yaml @@ -37,24 +37,31 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml - node: - components: - - kubelet - - proxy +etcd: + components: + - etcd - kubelet: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig - defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + etcd: + bins: + - etcd + defaultconf: /var/lib/rancher/rke2/server/db/etcd/config - proxy: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig +node: + components: + - kubelet + - proxy + + kubelet: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig + defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + + proxy: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig - policies: - components: - - policies +policies: + components: + - policies diff --git a/package/cfg/rke2-cis-1.24-permissive/etcd.yaml b/package/cfg/rke2-cis-1.24-permissive/etcd.yaml index 996b7102..a8b36cf3 100644 --- a/package/cfg/rke2-cis-1.24-permissive/etcd.yaml +++ b/package/cfg/rke2-cis-1.24-permissive/etcd.yaml @@ -5,48 +5,59 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: + # When possible, we check the flag, the environment variable, and the configuration file + # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, + # we only check the config path. - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--cert-file" - env: "ETCD_CERT_FILE" - - flag: "--key-file" - env: "ETCD_KEY_FILE" + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, RKE2 generates cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - type: "skip" - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true - type: "skip" + - path: "{.client-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, RKE2 sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -58,55 +69,65 @@ groups: compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--peer-cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "--peer-key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, RKE2 generates peer cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - type: "skip" - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true - set: true + - path: "{.peer-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, RKE2 sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - type: "skip" - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -119,16 +140,22 @@ groups: op: eq value: false set: true + - path: "{.peer-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" - audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -140,10 +167,8 @@ groups: value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" set: true remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, RKE2 generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/rke2-cis-1.7-hardened/config.yaml b/package/cfg/rke2-cis-1.7-hardened/config.yaml index d775e982..290e0425 100644 --- a/package/cfg/rke2-cis-1.7-hardened/config.yaml +++ b/package/cfg/rke2-cis-1.7-hardened/config.yaml @@ -37,24 +37,31 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml - node: - components: - - kubelet - - proxy +etcd: + components: + - etcd - kubelet: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig - defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + etcd: + bins: + - etcd + defaultconf: /var/lib/rancher/rke2/server/db/etcd/config - proxy: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig +node: + components: + - kubelet + - proxy + + kubelet: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig + defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + + proxy: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig - policies: - components: - - policies +policies: + components: + - policies diff --git a/package/cfg/rke2-cis-1.7-hardened/etcd.yaml b/package/cfg/rke2-cis-1.7-hardened/etcd.yaml index de4edd9a..a53f66a7 100644 --- a/package/cfg/rke2-cis-1.7-hardened/etcd.yaml +++ b/package/cfg/rke2-cis-1.7-hardened/etcd.yaml @@ -5,50 +5,59 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: + # When possible, we check the flag, the environment variable, and the configuration file + # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, + # we only check the config path. - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--cert-file" - env: "ETCD_CERT_FILE" - - flag: "--key-file" - env: "ETCD_KEY_FILE" + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= - Not Applicable. + By default, RKE2 generates cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true + - path: "{.client-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" - Not Applicable. + By default, RKE2 sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -60,57 +69,65 @@ groups: compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--peer-cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "--peer-key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= - Not Applicable. + By default, RKE2 generates peer cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true - set: true + - path: "{.peer-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true - Not Applicable. + By default, RKE2 sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -123,16 +140,22 @@ groups: op: eq value: false set: true + - path: "{.peer-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" - audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -144,10 +167,8 @@ groups: value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" set: true remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= + By default, RKE2 generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. scored: true diff --git a/package/cfg/rke2-cis-1.7-permissive/config.yaml b/package/cfg/rke2-cis-1.7-permissive/config.yaml index d775e982..290e0425 100644 --- a/package/cfg/rke2-cis-1.7-permissive/config.yaml +++ b/package/cfg/rke2-cis-1.7-permissive/config.yaml @@ -37,24 +37,31 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml - node: - components: - - kubelet - - proxy +etcd: + components: + - etcd - kubelet: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig - defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + etcd: + bins: + - etcd + defaultconf: /var/lib/rancher/rke2/server/db/etcd/config - proxy: - defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig +node: + components: + - kubelet + - proxy + + kubelet: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig + defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt + + proxy: + defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig - policies: - components: - - policies +policies: + components: + - policies diff --git a/package/cfg/rke2-cis-1.7-permissive/etcd.yaml b/package/cfg/rke2-cis-1.7-permissive/etcd.yaml index de4edd9a..a53f66a7 100644 --- a/package/cfg/rke2-cis-1.7-permissive/etcd.yaml +++ b/package/cfg/rke2-cis-1.7-permissive/etcd.yaml @@ -5,50 +5,59 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: + # When possible, we check the flag, the environment variable, and the configuration file + # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, + # we only check the config path. - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--cert-file" - env: "ETCD_CERT_FILE" - - flag: "--key-file" - env: "ETCD_KEY_FILE" + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= - Not Applicable. + By default, RKE2 generates cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true + - path: "{.client-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" - Not Applicable. + By default, RKE2 sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -60,57 +69,65 @@ groups: compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--peer-cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "--peer-key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= - Not Applicable. + By default, RKE2 generates peer cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true - set: true + - path: "{.peer-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true - Not Applicable. + By default, RKE2 sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -123,16 +140,22 @@ groups: op: eq value: false set: true + - path: "{.peer-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" - audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -144,10 +167,8 @@ groups: value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" set: true remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= + By default, RKE2 generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. scored: true diff --git a/package/cfg/rke2-cis-1.8-hardened/config.yaml b/package/cfg/rke2-cis-1.8-hardened/config.yaml index a20b9b52..c23fe321 100644 --- a/package/cfg/rke2-cis-1.8-hardened/config.yaml +++ b/package/cfg/rke2-cis-1.8-hardened/config.yaml @@ -33,12 +33,19 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml +etcd: + components: + - etcd + + etcd: + bins: + - etcd + defaultconf: /var/lib/rancher/rke2/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/rke2-cis-1.8-hardened/etcd.yaml b/package/cfg/rke2-cis-1.8-hardened/etcd.yaml index 22221c97..5b20c2d8 100644 --- a/package/cfg/rke2-cis-1.8-hardened/etcd.yaml +++ b/package/cfg/rke2-cis-1.8-hardened/etcd.yaml @@ -5,51 +5,59 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: + # When possible, we check the flag, the environment variable, and the configuration file + # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, + # we only check the config path. - id: 2 text: "Etcd Node Configuration" checks: - - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--cert-file" - env: "ETCD_CERT_FILE" - - flag: "--key-file" - env: "ETCD_KEY_FILE" + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= - Not Applicable. + By default, RKE2 generates cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true + - path: "{.client-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" - Not Applicable. + By default, RKE2 sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -61,57 +69,65 @@ groups: compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--peer-cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "--peer-key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= - Not Applicable. + By default, RKE2 generates peer cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true - set: true + - path: "{.peer-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true - Not Applicable. + By default, RKE2 sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -124,16 +140,22 @@ groups: op: eq value: false set: true + - path: "{.peer-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" - audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -145,10 +167,8 @@ groups: value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" set: true remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= + By default, RKE2 generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. scored: true diff --git a/package/cfg/rke2-cis-1.8-permissive/config.yaml b/package/cfg/rke2-cis-1.8-permissive/config.yaml index 5500a1a1..29746db7 100644 --- a/package/cfg/rke2-cis-1.8-permissive/config.yaml +++ b/package/cfg/rke2-cis-1.8-permissive/config.yaml @@ -33,12 +33,19 @@ master: etcd: bins: - etcd - confs: - - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml datadirs: - /var/lib/rancher/rke2/server/db/etcd defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml +etcd: + components: + - etcd + + etcd: + bins: + - etcd + defaultconf: /var/lib/rancher/rke2/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/rke2-cis-1.8-permissive/etcd.yaml b/package/cfg/rke2-cis-1.8-permissive/etcd.yaml index 7590141b..5b20c2d8 100644 --- a/package/cfg/rke2-cis-1.8-permissive/etcd.yaml +++ b/package/cfg/rke2-cis-1.8-permissive/etcd.yaml @@ -5,50 +5,59 @@ id: 2 text: "Etcd Node Configuration" type: "etcd" groups: + # When possible, we check the flag, the environment variable, and the configuration file + # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, + # we only check the config path. - id: 2 text: "Etcd Node Configuration" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--cert-file" - env: "ETCD_CERT_FILE" - - flag: "--key-file" - env: "ETCD_KEY_FILE" + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= - Not Applicable. + By default, RKE2 generates cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--client-cert-auth" env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true + - path: "{.client-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" - Not Applicable. + By default, RKE2 sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -60,57 +69,65 @@ groups: compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit_config: "cat $etcdconf" tests: bin_op: and test_items: - - flag: "--peer-cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "--peer-key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= - Not Applicable. + By default, RKE2 generates peer cert and key files for etcd. + These are located in /var/lib/rancher/rke2/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - type: "skip" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: + bin_op: or test_items: - flag: "--peer-client-cert-auth" env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true - set: true + - path: "{.peer-transport-security.client-cert-auth}" + compare: + op: eq + value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true - Not Applicable. + By default, RKE2 sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -123,16 +140,22 @@ groups: op: eq value: false set: true + - path: "{.peer-transport-security.auto-tls}" + compare: + op: eq + value: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, RKE2 does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep" - audit_config: "cat /var/lib/rancher/rke2/server/db/etcd/config" + audit: "/bin/ps -fC $etcdbin" + audit_config: "cat $etcdconf" tests: bin_op: or test_items: @@ -144,10 +167,8 @@ groups: value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" set: true remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= + By default, RKE2 generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. scored: true