diff --git a/package/cfg/config.yaml b/package/cfg/config.yaml index 524dd102..d02d768f 100644 --- a/package/cfg/config.yaml +++ b/package/cfg/config.yaml @@ -81,6 +81,7 @@ master: - /etc/etcd/etcd.conf - /var/snap/etcd/common/etcd.conf.yml - /var/lib/rancher/rke2/server/db/etcd/config + - /var/lib/rancher/k3s/server/db/etcd/config defaultconf: /etc/kubernetes/manifests/etcd.yaml flanneld: diff --git a/package/cfg/k3s-cis-1.23-hardened/etcd.yaml b/package/cfg/k3s-cis-1.23-hardened/etcd.yaml index 5895b016..a57891fa 100644 --- a/package/cfg/k3s-cis-1.23-hardened/etcd.yaml +++ b/package/cfg/k3s-cis-1.23-hardened/etcd.yaml @@ -10,137 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 - text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" - audit: "check_for_k3s_etcd.sh 2.7" + text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.23-permissive/etcd.yaml b/package/cfg/k3s-cis-1.23-permissive/etcd.yaml index 68f43337..a57891fa 100644 --- a/package/cfg/k3s-cis-1.23-permissive/etcd.yaml +++ b/package/cfg/k3s-cis-1.23-permissive/etcd.yaml @@ -10,139 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 - text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" - audit: "check_for_k3s_etcd.sh 2.7" + text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.24-hardened/config.yaml b/package/cfg/k3s-cis-1.24-hardened/config.yaml index 682d2f50..4bc54a66 100644 --- a/package/cfg/k3s-cis-1.24-hardened/config.yaml +++ b/package/cfg/k3s-cis-1.24-hardened/config.yaml @@ -30,6 +30,9 @@ master: bins: - containerd +etcd: + confs: /var/lib/rancher/k3s/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/k3s-cis-1.24-hardened/etcd.yaml b/package/cfg/k3s-cis-1.24-hardened/etcd.yaml index e4fc5680..c080891d 100644 --- a/package/cfg/k3s-cis-1.24-hardened/etcd.yaml +++ b/package/cfg/k3s-cis-1.24-hardened/etcd.yaml @@ -10,137 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 - text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" - audit: "check_for_k3s_etcd.sh 2.7" + text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.24-permissive/config.yaml b/package/cfg/k3s-cis-1.24-permissive/config.yaml index 682d2f50..4bc54a66 100644 --- a/package/cfg/k3s-cis-1.24-permissive/config.yaml +++ b/package/cfg/k3s-cis-1.24-permissive/config.yaml @@ -30,6 +30,9 @@ master: bins: - containerd +etcd: + confs: /var/lib/rancher/k3s/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/k3s-cis-1.24-permissive/etcd.yaml b/package/cfg/k3s-cis-1.24-permissive/etcd.yaml index 8fe6f7c5..c080891d 100644 --- a/package/cfg/k3s-cis-1.24-permissive/etcd.yaml +++ b/package/cfg/k3s-cis-1.24-permissive/etcd.yaml @@ -10,139 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.7-hardened/config.yaml b/package/cfg/k3s-cis-1.7-hardened/config.yaml index 75f8de10..1ec1284a 100644 --- a/package/cfg/k3s-cis-1.7-hardened/config.yaml +++ b/package/cfg/k3s-cis-1.7-hardened/config.yaml @@ -36,6 +36,9 @@ master: bins: - containerd +etcd: + confs: /var/lib/rancher/k3s/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/k3s-cis-1.7-hardened/etcd.yaml b/package/cfg/k3s-cis-1.7-hardened/etcd.yaml index ad48e407..4c9369e4 100644 --- a/package/cfg/k3s-cis-1.7-hardened/etcd.yaml +++ b/package/cfg/k3s-cis-1.7-hardened/etcd.yaml @@ -10,139 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.7-permissive/config.yaml b/package/cfg/k3s-cis-1.7-permissive/config.yaml index 64eca135..d02f90fa 100644 --- a/package/cfg/k3s-cis-1.7-permissive/config.yaml +++ b/package/cfg/k3s-cis-1.7-permissive/config.yaml @@ -32,6 +32,9 @@ master: bins: - containerd +etcd: + confs: /var/lib/rancher/k3s/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/k3s-cis-1.7-permissive/etcd.yaml b/package/cfg/k3s-cis-1.7-permissive/etcd.yaml index ad48e407..4c9369e4 100644 --- a/package/cfg/k3s-cis-1.7-permissive/etcd.yaml +++ b/package/cfg/k3s-cis-1.7-permissive/etcd.yaml @@ -10,139 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.8-hardened/config.yaml b/package/cfg/k3s-cis-1.8-hardened/config.yaml index f119071a..fff6edb7 100644 --- a/package/cfg/k3s-cis-1.8-hardened/config.yaml +++ b/package/cfg/k3s-cis-1.8-hardened/config.yaml @@ -30,6 +30,10 @@ master: etcd: bins: - containerd + +etcd: + confs: /var/lib/rancher/k3s/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/k3s-cis-1.8-hardened/etcd.yaml b/package/cfg/k3s-cis-1.8-hardened/etcd.yaml index 7641f0d1..fb670ee2 100644 --- a/package/cfg/k3s-cis-1.8-hardened/etcd.yaml +++ b/package/cfg/k3s-cis-1.8-hardened/etcd.yaml @@ -10,139 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/cfg/k3s-cis-1.8-permissive/config.yaml b/package/cfg/k3s-cis-1.8-permissive/config.yaml index ed043579..9e9ff62a 100644 --- a/package/cfg/k3s-cis-1.8-permissive/config.yaml +++ b/package/cfg/k3s-cis-1.8-permissive/config.yaml @@ -31,6 +31,10 @@ master: etcd: bins: - containerd + +etcd: + confs: /var/lib/rancher/k3s/server/db/etcd/config + node: components: - kubelet diff --git a/package/cfg/k3s-cis-1.8-permissive/etcd.yaml b/package/cfg/k3s-cis-1.8-permissive/etcd.yaml index 7641f0d1..fb670ee2 100644 --- a/package/cfg/k3s-cis-1.8-permissive/etcd.yaml +++ b/package/cfg/k3s-cis-1.8-permissive/etcd.yaml @@ -10,139 +10,128 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_KEY_FILE" - set: true + - path: "{.client-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" + - path: "{.client-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" remediation: | - Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml - on the master node and set the below parameters. - --cert-file= - --key-file= + By default, K3s generates cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom cert and key files. scored: true - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" + - path: "{.client-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --client-cert-auth="true" + By default, K3s sets the --client-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable client certificate authentication. scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" - set: false - - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" + - path: "{.client-transport-security.auto-tls}" compare: op: eq value: false + - path: "{.client-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. - --auto-tls=false + client-transport-security: + auto-tls: false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: and test_items: - - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" - set: true - - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" - set: true + - path: "{.peer-transport-security.cert-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt" + - path: "{.peer-transport-security.key-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key" remediation: | - Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameters. - --peer-client-file= - --peer-key-file= + By default, K3s generates peer cert and key files for etcd. + These are located in /var/lib/rancher/k3s/server/tls/etcd/. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use custom peer cert and key files. scored: true - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit_config: "check_for_k3s_etcd.sh" tests: - bin_op: or test_items: - - flag: "--client-cert-auth" - set: true - - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" + - path: "{.peer-transport-security.client-cert-auth}" compare: op: eq value: true - set: true remediation: | - Edit the etcd pod specification file $etcdconf on the master - node and set the below parameter. - --peer-client-cert-auth=true + By default, K3s sets the --peer-cert-auth parameter to true. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to disable peer client certificate authentication. scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit_config: "check_for_k3s_etcd.sh" tests: bin_op: or test_items: - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" - set: false - - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" + - path: "{.peer-transport-security.auto-tls}" compare: op: eq value: false - set: true + - path: "{.peer-transport-security.auto-tls}" + set: false remediation: | - Edit the etcd pod specification file $etcdconf on the master + By default, K3s does not set the --peer-auto-tls parameter. + If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. - --peer-auto-tls=false + peer-transport-security: + auto-tls: false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit_config: "check_for_k3s_etcd.sh" tests: test_items: - - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" - set: true + - path: "{.peer-transport-security.trusted-ca-file}" + compare: + op: eq + value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt" remediation: | - [Manual test] - Follow the etcd documentation and create a dedicated certificate authority setup for the - etcd service. - Then, edit the etcd pod specification file $etcdconf on the - master node and set the below parameter. - --trusted-ca-file= - scored: false + By default, K3s generates a unique certificate authority for etcd. + This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. + If this check fails, ensure that the configuration file $etcdconf + has not been modified to use a shared certificate authority. + scored: true diff --git a/package/helper_scripts/check_for_k3s_etcd.sh b/package/helper_scripts/check_for_k3s_etcd.sh index 4d5b48ea..717ae926 100755 --- a/package/helper_scripts/check_for_k3s_etcd.sh +++ b/package/helper_scripts/check_for_k3s_etcd.sh @@ -16,38 +16,19 @@ if [[ "$(journalctl -D $JOURNAL_LOG --lines=0 2>&1 | grep -s 'No such file or di fi if [[ "$(journalctl -D $JOURNAL_LOG -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]]; then - case $1 in - "2.1") - echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; - "2.2") - echo $(grep -A 5 'client-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; - "2.3") - echo $(grep 'auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; - "2.4") - echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep -E 'cert-file|key-file');; - "2.5") - echo $(grep -A 5 'peer-transport-security' /var/lib/rancher/k3s/server/db/etcd/config | grep 'client-cert-auth');; - "2.6") - echo $(grep 'peer-auto-tls' /var/lib/rancher/k3s/server/db/etcd/config);; - "2.7") - echo $(grep 'trusted-ca-file' /var/lib/rancher/k3s/server/db/etcd/config);; - esac + cat /var/lib/rancher/k3s/server/db/etcd/config else -# If another database is running, return whatever is required to pass the scan - case $1 in - "2.1") - echo "cert-file AND key-file";; - "2.2") - echo "--client-cert-auth=true";; - "2.3") - echo "false";; - "2.4") - echo "peer-cert-file AND peer-key-file";; - "2.5") - echo "--client-cert-auth=true";; - "2.6") - echo "--peer-auto-tls=false";; - "2.7") - echo "--trusted-ca-file";; - esac +# If another database is running, return a fake etcd config that passes the checks +cat <