Remove 1.X.XX check from K3s etcd helper script

Signed-off-by: Derek Nola <[email protected]>
dereknola · Jul 18, 2024 · 484804c · 484804c
1 parent f20a387
commit 484804c
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 24 deletions.
diff --git a/package/cfg/k3s-cis-1.23-hardened/master.yaml b/package/cfg/k3s-cis-1.23-hardened/master.yaml
@@ -155,7 +155,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -731,7 +736,12 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.23-permissive/master.yaml b/package/cfg/k3s-cis-1.23-permissive/master.yaml
@@ -155,7 +155,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -735,7 +740,12 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.24-hardened/master.yaml b/package/cfg/k3s-cis-1.24-hardened/master.yaml
@@ -152,7 +152,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -742,7 +747,12 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.24-permissive/master.yaml b/package/cfg/k3s-cis-1.24-permissive/master.yaml
@@ -152,7 +152,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -745,7 +750,12 @@ groups:
 
       - id: 1.2.26
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.7-hardened/master.yaml b/package/cfg/k3s-cis-1.7-hardened/master.yaml
@@ -156,7 +156,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -722,7 +727,12 @@ groups:
 
       - id: 1.2.25
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.7-permissive/master.yaml b/package/cfg/k3s-cis-1.7-permissive/master.yaml
@@ -156,7 +156,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -733,7 +738,12 @@ groups:
 
       - id: 1.2.25
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.8-hardened/master.yaml b/package/cfg/k3s-cis-1.8-hardened/master.yaml
@@ -156,7 +156,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -704,7 +709,12 @@ groups:
 
       - id: 1.2.24
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/cfg/k3s-cis-1.8-permissive/master.yaml b/package/cfg/k3s-cis-1.8-permissive/master.yaml
@@ -156,7 +156,12 @@ groups:
 
       - id: 1.1.11
         text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.1.11"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
+          else 
+            echo "permissions=700"
+          fi
         tests:
           test_items:
             - flag: "permissions"
@@ -714,7 +719,12 @@ groups:
 
       - id: 1.2.24
         text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
-        audit: "check_for_k3s_etcd.sh 1.2.29"
+        audit: |
+          if [ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
+            journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver' | tail -n1
+          else 
+            echo "--etcd-certfile AND --etcd-keyfile"
+          fi
         tests:
           bin_op: and
           test_items:

diff --git a/package/helper_scripts/check_for_k3s_etcd.sh b/package/helper_scripts/check_for_k3s_etcd.sh
@@ -13,10 +13,6 @@ trap 'handle_error' ERR
 
 if [[ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster initializing' | wc -l)" -gt 0 ]]; then
     case $1 in 
-        "1.1.11")
-            echo $(stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd);;
-        "1.2.29")
-            echo $(journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver');;
         "2.1")
             echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');;
         "2.2")
@@ -35,10 +31,6 @@ if [[ "$(journalctl -D /var/log/journal -u k3s | grep -m1 'Managed etcd cluster
 else
 # If another database is running, return whatever is required to pass the scan
     case $1 in
-        "1.1.11")
-            echo "permissions=700";;
-        "1.2.29")
-            echo "--etcd-certfile AND --etcd-keyfile";;
         "2.1")
             echo "cert-file AND key-file";;
         "2.2")