Follow standard yaml list indentation

Signed-off-by: Derek Nola <[email protected]>

package/cfg/k3s-cis-1.23-hardened/master.yaml

@@ -837,7 +837,7 @@ groups:
           If a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.
           If this check fails, remove any custom configuration around `tls-cipher-suites` or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:
           kube-apiserver-arg:
-          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+            - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
         scored: true
 
   - id: 1.3

package/cfg/k3s-cis-1.23-permissive/master.yaml

@@ -841,7 +841,7 @@ groups:
           If a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.
           If this check fails, remove any custom configuration around `tls-cipher-suites` or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:
           kube-apiserver-arg:
-          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+            - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
         scored: true
 
   - id: 1.3

package/cfg/k3s-cis-1.24-hardened/master.yaml

@@ -347,7 +347,7 @@ groups:
           Follow the documentation and configure alternate mechanisms for authentication.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove anything similar to below.
           kube-apiserver-arg:
-          - "token-auth-file=<path>"
+            - "token-auth-file=<path>"
         scored: true
 
       - id: 1.2.3
@@ -366,7 +366,7 @@ groups:
           By default, K3s does not set DenyServiceExternalIPs.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below.
           kube-apiserver-arg:
-          - "enable-admission-plugins=DenyServiceExternalIPs"
+            - "enable-admission-plugins=DenyServiceExternalIPs"
         scored: true
 
       - id: 1.2.4
@@ -401,8 +401,8 @@ groups:
           If for some reason you need to provide your own certificate and key, you can set the
           below parameters in the K3s config file /etc/rancher/k3s/config.yaml.
           kube-apiserver-arg:
-          - "kubelet-client-certificate=<path/to/client-cert-file>"
-          - "kubelet-client-key=<path/to/client-key-file>"
+            - "kubelet-client-certificate=<path/to/client-cert-file>"
+            - "kubelet-client-key=<path/to/client-key-file>"
         scored: true
 
       - id: 1.2.6
@@ -432,7 +432,7 @@ groups:
           By default, K3s does not set the --authorization-mode to AlwaysAllow.
           If this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below.
           kube-apiserver-arg:
-          - "authorization-mode=AlwaysAllow"
+            - "authorization-mode=AlwaysAllow"
         scored: true
 
       - id: 1.2.8
@@ -478,8 +478,8 @@ groups:
           Follow the Kubernetes documentation and set the desired limits in a configuration file.
           Then, edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameters.
           kube-apiserver-arg:
-          - "enable-admission-plugins=...,EventRateLimit,..."
-          - "admission-control-config-file=<path/to/configuration/file>"
+            - "enable-admission-plugins=...,EventRateLimit,..."
+            - "admission-control-config-file=<path/to/configuration/file>"
         scored: false
 
       - id: 1.2.11
@@ -498,7 +498,7 @@ groups:
           By default, K3s does not set the --enable-admission-plugins to AlwaysAdmit.
           If this check fails, edit K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below.
           kube-apiserver-arg:
-          - "enable-admission-plugins=AlwaysAdmit"
+            - "enable-admission-plugins=AlwaysAdmit"
         scored: true
 
       - id: 1.2.12
@@ -517,7 +517,7 @@ groups:
           clusters which use this configuration."
           Edit the K3s config file /etc/rancher/k3s/config.yaml and set the below parameter.
           kube-apiserver-arg:
-          - "enable-admission-plugins=...,AlwaysPullImages,..."
+            - "enable-admission-plugins=...,AlwaysPullImages,..."
         scored: false
 
       - id: 1.2.13
@@ -558,7 +558,7 @@ groups:
           Follow the documentation and create ServiceAccount objects as per your environment.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "disable-admission-plugins=ServiceAccount"
+            - "disable-admission-plugins=ServiceAccount"
         scored: true
 
       - id: 1.2.15
@@ -577,7 +577,7 @@ groups:
           By default, K3s does not set the --disable-admission-plugins to anything.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "disable-admission-plugins=...,NamespaceLifecycle,..."
+            - "disable-admission-plugins=...,NamespaceLifecycle,..."
         scored: true
 
       - id: 1.2.16
@@ -594,7 +594,7 @@ groups:
           If using the K3s config file /etc/rancher/k3s/config.yaml, check that you are not overriding the admission plugins.
           If you are, include NodeRestriction in the list.
           kube-apiserver-arg:
-          - "enable-admission-plugins=...,NodeRestriction,..."
+            - "enable-admission-plugins=...,NodeRestriction,..."
         scored: true
 
       - id: 1.2.17
@@ -613,7 +613,7 @@ groups:
           By default, K3s sets the secure port to 6444.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "secure-port=<PORT>"
+            - "secure-port=<PORT>"
         scored: true
 
       - id: 1.2.18
@@ -629,7 +629,7 @@ groups:
           By default, K3s sets the --profiling argument to false.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "profiling=true"
+            - "profiling=true"
         scored: true
 
       - id: 1.2.19
@@ -642,7 +642,7 @@ groups:
           Edit the K3s config file /etc/rancher/k3s/config.yaml and set the audit-log-path parameter to a suitable path and
           file where you would like audit logs to be written, for example,
           kube-apiserver-arg:
-          - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"
+            - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"
         scored: true
 
       - id: 1.2.20
@@ -658,7 +658,7 @@ groups:
           Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and
           set the audit-log-maxage parameter to 30 or as an appropriate number of days, for example,
           kube-apiserver-arg:
-          - "audit-log-maxage=30"
+            - "audit-log-maxage=30"
         scored: true
 
       - id: 1.2.21
@@ -674,7 +674,7 @@ groups:
           Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and
           set the audit-log-maxbackup parameter to 10 or to an appropriate value. For example,
           kube-apiserver-arg:
-          - "audit-log-maxbackup=10"
+            - "audit-log-maxbackup=10"
         scored: true
 
       - id: 1.2.22
@@ -690,7 +690,7 @@ groups:
           Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node and
           set the audit-log-maxsize parameter to an appropriate size in MB. For example,
           kube-apiserver-arg:
-          - "audit-log-maxsize=100"
+            - "audit-log-maxsize=100"
         scored: true
 
       - id: 1.2.23
@@ -708,7 +708,7 @@ groups:
           Edit the K3s config file /etc/rancher/k3s/config.yaml
           and set the below parameter if needed. For example,
           kube-apiserver-arg:
-          - "request-timeout=300s"
+            - "request-timeout=300s"
         scored: false
 
       - id: 1.2.24
@@ -727,7 +727,7 @@ groups:
           By default, K3s does not set the --service-account-lookup argument.
           Edit the K3s config file /etc/rancher/k3s/config.yaml and set the service-account-lookup. For example,
           kube-apiserver-arg:
-          - "service-account-lookup=true"
+            - "service-account-lookup=true"
           Alternatively, you can delete the service-account-lookup parameter from this file so
           that the default takes effect.
         scored: true
@@ -743,7 +743,7 @@ groups:
           It is located at /var/lib/rancher/k3s/server/tls/service.key.
           If this check fails, edit K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "service-account-key-file=<path>"
+            - "service-account-key-file=<path>"
         scored: true
 
       - id: 1.2.26
@@ -766,8 +766,8 @@ groups:
           They are located at /var/lib/rancher/k3s/server/tls/etcd/client.crt and /var/lib/rancher/k3s/server/tls/etcd/client.key.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "etcd-certfile=<path>"
-          - "etcd-keyfile=<path>"
+            - "etcd-certfile=<path>"
+            - "etcd-keyfile=<path>"
         scored: true
 
       - id: 1.2.27
@@ -785,8 +785,8 @@ groups:
           They are generated and located at /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt and /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "tls-cert-file=<path>"
-          - "tls-private-key-file=<path>"
+            - "tls-cert-file=<path>"
+            - "tls-private-key-file=<path>"
         scored: true
 
       - id: 1.2.28
@@ -800,7 +800,7 @@ groups:
           It is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "client-ca-file=<path>"
+            - "client-ca-file=<path>"
         scored: true
 
       - id: 1.2.29
@@ -814,7 +814,7 @@ groups:
           It is generated and located at /var/lib/rancher/k3s/server/tls/client-ca.crt.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-apiserver-arg:
-          - "etcd-cafile=<path>"
+            - "etcd-cafile=<path>"
         scored: true
 
       - id: 1.2.30
@@ -864,7 +864,7 @@ groups:
           If a custom TLS configuration is required, consider also creating a custom version of this rule that aligns with your requirements.
           If this check fails, remove any custom configuration around `tls-cipher-suites` or update the /etc/rancher/k3s/config.yaml file to match the default by adding the following:
           kube-apiserver-arg:
-          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+            - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
         scored: true
 
   - id: 1.3
@@ -880,7 +880,7 @@ groups:
           Edit the K3s config file /etc/rancher/k3s/config.yaml on the control plane node
           and set the --terminated-pod-gc-threshold to an appropriate threshold,
           kube-controller-manager-arg:
-          - "terminated-pod-gc-threshold=10"
+            - "terminated-pod-gc-threshold=10"
         scored: false
 
       - id: 1.3.2
@@ -896,7 +896,7 @@ groups:
           By default, K3s sets the --profiling argument to false.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-controller-manager-arg:
-          - "profiling=true"
+            - "profiling=true"
         scored: true
 
       - id: 1.3.3
@@ -912,7 +912,7 @@ groups:
           By default, K3s sets the --use-service-account-credentials argument to true.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-controller-manager-arg:
-          - "use-service-account-credentials=false"
+            - "use-service-account-credentials=false"
         scored: true
 
       - id: 1.3.4
@@ -926,7 +926,7 @@ groups:
           It is generated and located at /var/lib/rancher/k3s/server/tls/service.current.key.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-controller-manager-arg:
-          - "service-account-private-key-file=<path>"
+            - "service-account-private-key-file=<path>"
         scored: true
 
       - id: 1.3.5
@@ -940,7 +940,7 @@ groups:
           It is generated and located at /var/lib/rancher/k3s/server/tls/server-ca.crt.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-controller-manager-arg:
-          - "root-ca-file=<path>"
+            - "root-ca-file=<path>"
         scored: true
 
       - id: 1.3.6
@@ -961,7 +961,7 @@ groups:
           If you have enabled this feature gate, you should remove it.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml, remove any lines like below.
           kube-controller-manager-arg:
-          - "feature-gate=RotateKubeletServerCertificate"
+            - "feature-gate=RotateKubeletServerCertificate"
         scored: true
 
       - id: 1.3.7
@@ -981,7 +981,7 @@ groups:
           By default, K3s sets the --bind-address argument to 127.0.0.1
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-controller-manager-arg:
-          - "bind-address=<IP>"
+            - "bind-address=<IP>"
         scored: true
 
   - id: 1.4
@@ -1001,7 +1001,7 @@ groups:
           By default, K3s sets the --profiling argument to false.
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-scheduler-arg:
-          - "profiling=true"
+            - "profiling=true"
         scored: true
 
       - id: 1.4.2
@@ -1021,5 +1021,5 @@ groups:
           By default, K3s sets the --bind-address argument to 127.0.0.1
           If this check fails, edit the K3s config file /etc/rancher/k3s/config.yaml and remove any lines like below.
           kube-scheduler-arg:
-          - "bind-address=<IP>"
+            - "bind-address=<IP>"
         scored: true