From bb07a4e3721571c478c8e802b71b36508eab83a0 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Fri, 9 Aug 2024 11:33:26 -0700 Subject: [PATCH] Set correct K3s 1.1.9 and 1.1.10 for each version of scan Signed-off-by: Derek Nola --- package/cfg/k3s-cis-1.24-hardened/master.yaml | 12 +++++------- package/cfg/k3s-cis-1.24-permissive/master.yaml | 15 +++++++-------- package/cfg/k3s-cis-1.7-hardened/master.yaml | 16 ++++++---------- package/cfg/k3s-cis-1.7-permissive/master.yaml | 16 ++++++---------- 4 files changed, 24 insertions(+), 35 deletions(-) diff --git a/package/cfg/k3s-cis-1.24-hardened/master.yaml b/package/cfg/k3s-cis-1.24-hardened/master.yaml index 4b03b2bb..615dd03b 100644 --- a/package/cfg/k3s-cis-1.24-hardened/master.yaml +++ b/package/cfg/k3s-cis-1.24-hardened/master.yaml @@ -119,6 +119,7 @@ groups: - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a + type: "skip" use_multiple_values: true tests: test_items: @@ -127,10 +128,8 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. - Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. - If you modify your CNI configuration, ensure that the permissions are set to 600. - For example, chmod 600 /var/lib/cni/networks/ + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: false - id: 1.1.10 @@ -144,9 +143,8 @@ groups: test_items: - flag: "root:root" remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: false - id: 1.1.11 diff --git a/package/cfg/k3s-cis-1.24-permissive/master.yaml b/package/cfg/k3s-cis-1.24-permissive/master.yaml index 36b0b4a1..98dceb60 100644 --- a/package/cfg/k3s-cis-1.24-permissive/master.yaml +++ b/package/cfg/k3s-cis-1.24-permissive/master.yaml @@ -119,6 +119,7 @@ groups: - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a + type: "skip" use_multiple_values: true tests: test_items: @@ -127,14 +128,12 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. - Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. - If you modify your CNI configuration, ensure that the permissions are set to 600. - For example, chmod 600 /var/lib/cni/networks/ + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: false - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" type: "skip" audit: | ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G @@ -144,11 +143,11 @@ groups: test_items: - flag: "root:root" remediation: | - Run the below command (based on the file location on your system) on the control plane node. - For example, - chown root:root + Not Applicable. + The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks. scored: false + - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" audit: | diff --git a/package/cfg/k3s-cis-1.7-hardened/master.yaml b/package/cfg/k3s-cis-1.7-hardened/master.yaml index 12984601..c016b716 100644 --- a/package/cfg/k3s-cis-1.7-hardened/master.yaml +++ b/package/cfg/k3s-cis-1.7-hardened/master.yaml @@ -119,7 +119,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" + text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a use_multiple_values: true tests: @@ -129,28 +129,24 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. + By default, K3s sets the CNI file permissions to 644. Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. If you modify your CNI configuration, ensure that the permissions are set to 600. For example, chmod 600 /var/lib/cni/networks/ scored: false - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - type: skip - audit: | - ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G - find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: - flag: "root:root" remediation: | - Not Applicable. Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root - scored: false + chown root:root /var/lib/cni/networks/ + scored: true - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" diff --git a/package/cfg/k3s-cis-1.7-permissive/master.yaml b/package/cfg/k3s-cis-1.7-permissive/master.yaml index 820b022a..2e54aaf4 100644 --- a/package/cfg/k3s-cis-1.7-permissive/master.yaml +++ b/package/cfg/k3s-cis-1.7-permissive/master.yaml @@ -119,7 +119,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Automated)" + text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)" audit: find /var/lib/cni/networks -type f ! -name lock 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a use_multiple_values: true tests: @@ -129,28 +129,24 @@ groups: op: bitmask value: "600" remediation: | - By default, K3s sets the CNI file permissions to 600. + By default, K3s sets the CNI file permissions to 644. Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored. If you modify your CNI configuration, ensure that the permissions are set to 600. For example, chmod 600 /var/lib/cni/networks/ scored: false - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" - type: skip - audit: | - ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G - find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + audit: find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G use_multiple_values: true tests: test_items: - flag: "root:root" remediation: | - Not Applicable. Run the below command (based on the file location on your system) on the control plane node. For example, - chown root:root - scored: false + chown root:root /var/lib/cni/networks/ + scored: true - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"