Skip to content

Commit

Permalink
Fix audits and remediations for K3s 2.X checks
Browse files Browse the repository at this point in the history 
- Simplify the check_for_k3s_etch.sh script
Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
@dereknola
dereknola committed Aug 5, 2024
1 parent 9809b41 commit 7640baa
Show file tree
Hide file tree
Showing 16 changed files with 534 additions and 616 deletions.
1 change: 1 addition & 0 deletions package/cfg/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ master:
- /etc/etcd/etcd.conf
- /var/snap/etcd/common/etcd.conf.yml
- /var/lib/rancher/rke2/server/db/etcd/config
- /var/lib/rancher/k3s/server/db/etcd/config
defaultconf: /etc/kubernetes/manifests/etcd.yaml

flanneld:
Expand Down
135 changes: 63 additions & 72 deletions package/cfg/k3s-cis-1.23-hardened/etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,137 +10,128 @@ groups:
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.1"
audit_config: "check_for_k3s_etcd.sh"
tests:
bin_op: and
test_items:
- flag: "cert-file"
env: "ETCD_CERT_FILE"
set: true
- flag: "key-file"
env: "ETCD_KEY_FILE"
set: true
- path: "{.client-transport-security.cert-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt"
- path: "{.client-transport-security.key-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key"
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
By default, K3s generates cert and key files for etcd.
These are located in /var/lib/rancher/k3s/server/tls/etcd/.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use custom cert and key files.
scored: true

- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.2"
audit_config: "check_for_k3s_etcd.sh"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
- path: "{.client-transport-security.client-cert-auth}"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
By default, K3s sets the --client-cert-auth parameter to true.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to disable client certificate authentication.
scored: true

- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.3"
audit_config: "check_for_k3s_etcd.sh"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
- path: "{.client-transport-security.auto-tls}"
compare:
op: eq
value: false
- path: "{.client-transport-security.auto-tls}"
set: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
By default, K3s does not set the --auto-tls parameter.
If this check fails, edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
client-transport-security:
auto-tls: false
scored: true

- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "check_for_k3s_etcd.sh 2.4"
audit_config: "check_for_k3s_etcd.sh"
tests:
bin_op: and
test_items:
- flag: "cert-file"
env: "ETCD_PEER_CERT_FILE"
set: true
- flag: "key-file"
env: "ETCD_PEER_KEY_FILE"
set: true
- path: "{.peer-transport-security.cert-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt"
- path: "{.peer-transport-security.key-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key"
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
By default, K3s generates peer cert and key files for etcd.
These are located in /var/lib/rancher/k3s/server/tls/etcd/.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use custom peer cert and key files.
scored: true

- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.5"
audit_config: "check_for_k3s_etcd.sh"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
- path: "{.peer-transport-security.client-cert-auth}"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
By default, K3s sets the --peer-cert-auth parameter to true.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to disable peer client certificate authentication.
scored: true

- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "check_for_k3s_etcd.sh 2.6"
audit_config: "check_for_k3s_etcd.sh"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
- path: "{.peer-transport-security.auto-tls}"
compare:
op: eq
value: false
set: true
- path: "{.peer-transport-security.auto-tls}"
set: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
By default, K3s does not set the --peer-auto-tls parameter.
If this check fails, edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
peer-transport-security:
auto-tls: false
scored: true

- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "check_for_k3s_etcd.sh 2.7"
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
audit_config: "check_for_k3s_etcd.sh"
tests:
test_items:
- flag: "trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
set: true
- path: "{.peer-transport-security.trusted-ca-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt"
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false
By default, K3s generates a unique certificate authority for etcd.
This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use a shared certificate authority.
scored: true
Loading

0 comments on commit 7640baa

Please sign in to comment.