Merge branch 'master' into k3s_4th

dereknola · Aug 9, 2024 · ff3afdb · ff3afdb
2 parents 414384c + 66f7fd7
commit ff3afdb
Show file tree

Hide file tree

Showing 32 changed files with 1,596 additions and 1,493 deletions.
diff --git a/package/cfg/k3s-cis-1.24-hardened/master.yaml b/package/cfg/k3s-cis-1.24-hardened/master.yaml
@@ -130,7 +130,7 @@ groups:
         remediation: |
           Not Applicable.
           The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

diff --git a/package/cfg/k3s-cis-1.24-permissive/master.yaml b/package/cfg/k3s-cis-1.24-permissive/master.yaml
@@ -130,7 +130,7 @@ groups:
         remediation: |
           Not Applicable.
           The default K3s CNI, flannel, does not create any files in /var/lib/cni/networks.
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

diff --git a/package/cfg/k3s-cis-1.7-hardened/master.yaml b/package/cfg/k3s-cis-1.7-hardened/master.yaml
@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"

diff --git a/package/cfg/k3s-cis-1.7-permissive/master.yaml b/package/cfg/k3s-cis-1.7-permissive/master.yaml
@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"

diff --git a/package/cfg/k3s-cis-1.8-hardened/master.yaml b/package/cfg/k3s-cis-1.8-hardened/master.yaml
@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

diff --git a/package/cfg/k3s-cis-1.8-permissive/master.yaml b/package/cfg/k3s-cis-1.8-permissive/master.yaml
@@ -133,7 +133,7 @@ groups:
           Note that for many CNIs, a lock file is created with permissions 750. This is expected and can be ignored.
           If you modify your CNI configuration, ensure that the permissions are set to 600.
           For example, chmod 600 /var/lib/cni/networks/<filename>
-        scored: false
+        scored: true
 
       - id: 1.1.10
         text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"

diff --git a/package/cfg/rke2-cis-1.23-hardened/policies.yaml b/package/cfg/rke2-cis-1.23-hardened/policies.yaml
@@ -208,8 +208,8 @@ groups:
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
         type: "manual"
         remediation: |
-          Review the use of capabilites in applications running on your cluster. Where a namespace
-          contains applicaions which do not require any Linux capabities to operate consider adding
+          Review the use of capabilities in applications running on your cluster. Where a namespace
+          contains applications which do not require any Linux capabities to operate consider adding
           a PSP which forbids the admission of containers which do not drop all capabilities.
         scored: false
 

diff --git a/package/cfg/rke2-cis-1.23-permissive/policies.yaml b/package/cfg/rke2-cis-1.23-permissive/policies.yaml
@@ -152,8 +152,8 @@ groups:
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
         type: "manual"
         remediation: |
-          Review the use of capabilites in applications running on your cluster. Where a namespace
-          contains applicaions which do not require any Linux capabities to operate consider adding
+          Review the use of capabilities in applications running on your cluster. Where a namespace
+          contains applications which do not require any Linux capabities to operate consider adding
           a PSP which forbids the admission of containers which do not drop all capabilities.
         scored: false
 

diff --git a/package/cfg/rke2-cis-1.24-hardened/etcd.yaml b/package/cfg/rke2-cis-1.24-hardened/etcd.yaml
@@ -5,71 +5,6 @@ id: 2
 text: "Etcd Node Configuration"
 type: "etcd"
 groups:
-  - id: 1.1
-    text: "Master Node Configuration Files"
-    checks:
-      - id: 1.1.7
-        text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
-        tests:
-          test_items:
-            - flag: "644"
-              compare:
-                op: eq
-                value: "644"
-              set: true
-        remediation: |
-          Run the below command (based on the file location on your system) on the control plane node.
-          For example,
-          chmod 644 $etcdconf
-        scored: true
-
-      - id: 1.1.8
-        text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
-        tests:
-          test_items:
-            - flag: "root:root"
-              compare:
-                op: eq
-                value: "root:root"
-              set: true
-        remediation: |
-          Run the below command (based on the file location on your system) on the control plane node.
-          For example,
-          chown root:root $etcdconf
-        scored: true
-
-      - id: 1.1.11
-        text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
-        audit: "stat -c permissions=%a $etcddatadir"
-        tests:
-          test_items:
-            - flag: "permissions"
-              compare:
-                op: bitmask
-                value: "700"
-        remediation: |
-          On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-          from the command 'ps -ef | grep etcd'.
-          Run the below command (based on the etcd data directory found above). For example,
-          chmod 700 $etcddatadir
-        scored: true
-
-      - id: 1.1.12
-        text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
-        audit: "stat -c %U:%G $etcddatadir"
-        tests:
-          test_items:
-            - flag: "etcd:etcd"
-              set: true
-        remediation: |
-          On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
-          from the command 'ps -ef | grep etcd'.
-          Run the below command (based on the etcd data directory found above).
-          For example, chown etcd:etcd /var/lib/etcd
-        scored: true
-
   - id: 2
     text: "Etcd Node Configuration"
     checks: