From ed51191d7ce982003959a803544ad36e11eef2ad Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Mon, 20 May 2024 03:47:15 -0700 Subject: [PATCH] Replace custom k3s etcd script checks with vanilla grep checks (#1601) * Replace custom k3s etcd script checks with vanilla grep checks Signed-off-by: Derek Nola * Rework etcd grep, remove etcd ENV checks (no-op), add correct k3s etcddatadir Signed-off-by: Derek Nola * chore: update go-linter version Signed-off-by: chenk * Use etcddatadir variable Signed-off-by: Derek Nola --------- Signed-off-by: Derek Nola Signed-off-by: chenk Co-authored-by: chenk --- .github/workflows/build.yml | 2 +- cfg/config.yaml | 3 +++ cfg/k3s-cis-1.23/config.yaml | 3 ++- cfg/k3s-cis-1.23/etcd.yaml | 25 +++++++------------------ cfg/k3s-cis-1.23/master.yaml | 4 ++-- cfg/k3s-cis-1.24/config.yaml | 2 ++ cfg/k3s-cis-1.24/etcd.yaml | 25 +++++++------------------ cfg/k3s-cis-1.24/master.yaml | 4 ++-- cfg/k3s-cis-1.7/config.yaml | 3 ++- cfg/k3s-cis-1.7/etcd.yaml | 25 +++++++------------------ cfg/k3s-cis-1.7/master.yaml | 4 ++-- 11 files changed, 37 insertions(+), 63 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ca69f8022..6d455a8eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: - name: Setup golangci-lint uses: golangci/golangci-lint-action@v4 with: - version: latest + version: v1.57.2 args: --verbose unit: name: Unit tests diff --git a/cfg/config.yaml b/cfg/config.yaml index 05aeeb477..b26115f37 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -95,6 +95,7 @@ master: datadirs: - /var/lib/etcd/default.etcd - /var/lib/etcd/data.etcd + - /var/lib/rancher/k3s/server/db/etcd confs: - /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yml @@ -105,6 +106,7 @@ master: - /var/snap/microk8s/current/args/etcd - /usr/lib/systemd/system/etcd.service - /var/lib/rancher/rke2/server/db/etcd/config + - /var/lib/rancher/k3s/server/db/etcd/config defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultdatadir: /var/lib/etcd/default.etcd @@ -234,6 +236,7 @@ etcd: datadirs: - /var/lib/etcd/default.etcd - /var/lib/etcd/data.etcd + - /var/lib/rancher/k3s/server/db/etcd confs: - /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yml diff --git a/cfg/k3s-cis-1.23/config.yaml b/cfg/k3s-cis-1.23/config.yaml index 32033c099..d6deb1ce6 100644 --- a/cfg/k3s-cis-1.23/config.yaml +++ b/cfg/k3s-cis-1.23/config.yaml @@ -24,7 +24,8 @@ master: etcd: bins: - containerd - + datadirs: + - /var/lib/rancher/k3s/server/db/etcd node: components: - kubelet diff --git a/cfg/k3s-cis-1.23/etcd.yaml b/cfg/k3s-cis-1.23/etcd.yaml index 1bbb60d43..54cfd0816 100644 --- a/cfg/k3s-cis-1.23/etcd.yaml +++ b/cfg/k3s-cis-1.23/etcd.yaml @@ -10,15 +10,13 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. @@ -30,14 +28,13 @@ groups: - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -50,15 +47,13 @@ groups: - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" compare: op: eq value: false @@ -70,15 +65,13 @@ groups: - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -91,14 +84,13 @@ groups: - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -111,15 +103,13 @@ groups: - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false @@ -132,11 +122,10 @@ groups: - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" - audit: "check_for_k3s_etcd.sh 2.7" + audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] diff --git a/cfg/k3s-cis-1.23/master.yaml b/cfg/k3s-cis-1.23/master.yaml index 08d7e7485..a03bca99c 100644 --- a/cfg/k3s-cis-1.23/master.yaml +++ b/cfg/k3s-cis-1.23/master.yaml @@ -155,7 +155,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "check_for_k3s_etcd.sh 1.1.11" + audit: "stat -c %a $etcddatadir" tests: test_items: - flag: "700" @@ -736,7 +736,7 @@ groups: - id: 1.2.26 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 1.2.29" + audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'" tests: bin_op: and test_items: diff --git a/cfg/k3s-cis-1.24/config.yaml b/cfg/k3s-cis-1.24/config.yaml index 32033c099..cafe7019a 100644 --- a/cfg/k3s-cis-1.24/config.yaml +++ b/cfg/k3s-cis-1.24/config.yaml @@ -24,6 +24,8 @@ master: etcd: bins: - containerd + datadirs: + - /var/lib/rancher/k3s/server/db/etcd node: components: diff --git a/cfg/k3s-cis-1.24/etcd.yaml b/cfg/k3s-cis-1.24/etcd.yaml index d797f56c7..40af92e65 100644 --- a/cfg/k3s-cis-1.24/etcd.yaml +++ b/cfg/k3s-cis-1.24/etcd.yaml @@ -10,15 +10,13 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. @@ -30,14 +28,13 @@ groups: - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -50,15 +47,13 @@ groups: - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" compare: op: eq value: false @@ -70,15 +65,13 @@ groups: - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -91,14 +84,13 @@ groups: - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -111,15 +103,13 @@ groups: - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false @@ -132,11 +122,10 @@ groups: - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] diff --git a/cfg/k3s-cis-1.24/master.yaml b/cfg/k3s-cis-1.24/master.yaml index ce57bc871..6af44c7a5 100644 --- a/cfg/k3s-cis-1.24/master.yaml +++ b/cfg/k3s-cis-1.24/master.yaml @@ -155,7 +155,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "check_for_k3s_etcd.sh 1.1.11" + audit: "stat -c %a $etcddatadir" tests: test_items: - flag: "700" @@ -735,7 +735,7 @@ groups: - id: 1.2.26 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 1.2.29" + audit: "journalctl -D /var/log/journal -u k3s | grep -m1 'Running kube-apiserver'" tests: bin_op: and test_items: diff --git a/cfg/k3s-cis-1.7/config.yaml b/cfg/k3s-cis-1.7/config.yaml index 816af1e8e..e9574b035 100644 --- a/cfg/k3s-cis-1.7/config.yaml +++ b/cfg/k3s-cis-1.7/config.yaml @@ -31,7 +31,8 @@ master: etcd: bins: - containerd - + datadirs: + - /var/lib/rancher/k3s/server/db/etcd node: components: - kubelet diff --git a/cfg/k3s-cis-1.7/etcd.yaml b/cfg/k3s-cis-1.7/etcd.yaml index 1535ea606..d29818148 100644 --- a/cfg/k3s-cis-1.7/etcd.yaml +++ b/cfg/k3s-cis-1.7/etcd.yaml @@ -10,15 +10,13 @@ groups: checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.1" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure TLS encryption. @@ -30,14 +28,13 @@ groups: - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.2" + audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -50,15 +47,13 @@ groups: - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.3" + audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" set: false - flag: "--auto-tls" - env: "ETCD_AUTO_TLS" compare: op: eq value: false @@ -70,15 +65,13 @@ groups: - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 2.4" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'" tests: bin_op: and test_items: - flag: "cert-file" - env: "ETCD_PEER_CERT_FILE" set: true - flag: "key-file" - env: "ETCD_PEER_KEY_FILE" set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate @@ -91,14 +84,13 @@ groups: - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.5" + audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'" tests: bin_op: or test_items: - flag: "--client-cert-auth" set: true - flag: "client-cert-auth" - env: "ETCD_PEER_CLIENT_CERT_AUTH" compare: op: eq value: true @@ -111,15 +103,13 @@ groups: - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" - audit: "check_for_k3s_etcd.sh 2.6" + audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi" tests: bin_op: or test_items: - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" set: false - flag: "--peer-auto-tls" - env: "ETCD_PEER_AUTO_TLS" compare: op: eq value: false @@ -132,11 +122,10 @@ groups: - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" - audit: "check_for_k3s_etcd.sh 2.7" + audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi" tests: test_items: - flag: "trusted-ca-file" - env: "ETCD_TRUSTED_CA_FILE" set: true remediation: | [Manual test] diff --git a/cfg/k3s-cis-1.7/master.yaml b/cfg/k3s-cis-1.7/master.yaml index 8c59d61e6..109b8d84e 100644 --- a/cfg/k3s-cis-1.7/master.yaml +++ b/cfg/k3s-cis-1.7/master.yaml @@ -167,7 +167,7 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: "check_for_k3s_etcd.sh 1.1.11" + audit: "stat -c %a $etcddatadir" tests: test_items: - flag: "700" @@ -738,7 +738,7 @@ groups: - id: 1.2.25 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" - audit: "check_for_k3s_etcd.sh 1.2.29" + audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1" tests: bin_op: and test_items: