Skip to content

Commit

Permalink
Set correct K3s 1.1.9 and 1.1.10 for each version of scan
Browse files Browse the repository at this point in the history 
Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
@dereknola
dereknola committed Aug 9, 2024
1 parent afde58e commit bb07a4e
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 35 deletions.
12 changes: 5 additions & 7 deletions package/cfg/k3s-cis-1.24-hardened/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ groups:
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
type: "skip"
use_multiple_values: true
tests:
test_items:
Expand All @@ -127,10 +128,8 @@ groups:
op: bitmask
value: "600"
remediation: |
By default, K3s sets the CNI file permissions to 600.
Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
If you modify your CNI configuration, ensure that the permissions are set to 600.
For example, chmod 600 /var/lib/cni/networks/<filename>
Not Applicable.
The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
scored: false

- id: 1.1.10
Expand All @@ -144,9 +143,8 @@ groups:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
Not Applicable.
The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
scored: false

- id: 1.1.11
Expand Down
15 changes: 7 additions & 8 deletions package/cfg/k3s-cis-1.24-permissive/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ groups:
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
type: "skip"
use_multiple_values: true
tests:
test_items:
Expand All @@ -127,14 +128,12 @@ groups:
op: bitmask
value: "600"
remediation: |
By default, K3s sets the CNI file permissions to 600.
Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
If you modify your CNI configuration, ensure that the permissions are set to 600.
For example, chmod 600 /var/lib/cni/networks/<filename>
Not Applicable.
The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
scored: false

- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
type: "skip"
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
Expand All @@ -144,11 +143,11 @@ groups:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
Not Applicable.
The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
scored: false


- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
Expand Down
16 changes: 6 additions & 10 deletions package/cfg/k3s-cis-1.7-hardened/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ groups:
scored: true

- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"
audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
use_multiple_values: true
tests:
Expand All @@ -129,28 +129,24 @@ groups:
op: bitmask
value: "600"
remediation: |
By default, K3s sets the CNI file permissions to 600.
By default, K3s sets the CNI file permissions to 644.
Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
If you modify your CNI configuration, ensure that the permissions are set to 600.
For example, chmod 600 /var/lib/cni/networks/<filename>
scored: false

- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
type: skip
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Not Applicable.
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
scored: false
chown root:root /var/lib/cni/networks/<filename>
scored: true

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
Expand Down
16 changes: 6 additions & 10 deletions package/cfg/k3s-cis-1.7-permissive/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ groups:
scored: true

- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)"
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"
audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
use_multiple_values: true
tests:
Expand All @@ -129,28 +129,24 @@ groups:
op: bitmask
value: "600"
remediation: |
By default, K3s sets the CNI file permissions to 600.
By default, K3s sets the CNI file permissions to 644.
Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
If you modify your CNI configuration, ensure that the permissions are set to 600.
For example, chmod 600 /var/lib/cni/networks/<filename>
scored: false

- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
type: skip
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Not Applicable.
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
scored: false
chown root:root /var/lib/cni/networks/<filename>
scored: true

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
Expand Down

0 comments on commit bb07a4e

Please sign in to comment.