github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/cis-1.6-k3s/etcd.yaml (about) 1 --- 2 controls: 3 version: "cis-1.6-k3s" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration Files" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate if use etcd as database (Automated)" 13 audit: grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file' 14 tests: 15 bin_op: and 16 test_items: 17 - flag: "cert-file" 18 - flag: "key-file" 19 remediation: | 20 By default, K3s uses a config file for etcd that can be found at $etcdconf. 21 The config file contains client-transport-security: which has fields that have the peer cert and peer key files. No manual remediation needed. 22 scored: true 23 24 - id: 2.2 25 text: "Ensure that the --client-cert-auth argument is set to true (Automated)" 26 audit: grep 'client-cert-auth' $etcdconf 27 tests: 28 test_items: 29 - flag: "client-cert-auth" 30 compare: 31 op: eq 32 value: true 33 remediation: | 34 By default, K3s uses a config file for etcd that can be found at $etcdconf. 35 client-cert-auth is set to true. No manual remediation needed. 36 scored: true 37 38 - id: 2.3 39 text: "Ensure that the --auto-tls argument is not set to true (Automated)" 40 audit: grep 'auto-tls' $etcdconf | cat 41 tests: 42 bin_op: or 43 test_items: 44 - flag: "auto-tls" 45 set: false 46 - flag: "auto-tls" 47 compare: 48 op: eq 49 value: false 50 remediation: | 51 By default, K3s starts Etcd without this flag. It is set to false by default. 52 scored: true 53 54 - id: 2.4 55 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are 56 set as appropriate (Automated)" 57 audit: grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file' 58 tests: 59 bin_op: and 60 test_items: 61 - flag: "cert-file" 62 - flag: "key-file" 63 remediation: | 64 By default, K3s starts Etcd with a config file found here, $etcdconf. 65 The config file contains peer-transport-security: which has fields that have the peer cert and peer key files. 66 scored: true 67 68 - id: 2.5 69 text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 70 audit: grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth' 71 tests: 72 test_items: 73 - flag: "client-cert-auth" 74 compare: 75 op: eq 76 value: true 77 remediation: | 78 By default, K3s uses a config file for etcd that can be found at $etcdconf. 79 The config file contains peer-transport-security: which has client-cert-auth set to true. No manual remediation needed. 80 scored: true 81 82 - id: 2.6 83 text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" 84 audit: grep 'peer-auto-tls' $etcdconf | cat 85 tests: 86 bin_op: or 87 test_items: 88 - flag: "peer-auto-tls" 89 set: false 90 - flag: "peer-auto-tls" 91 compare: 92 op: eq 93 value: false 94 remediation: | 95 By default, K3s uses a config file for etcd that can be found at $etcdconf. 96 Within the file, it does not contain the peer-auto-tls field. No manual remediation needed. 97 scored: true 98 99 - id: 2.7 100 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" 101 audit: | 102 if [ -f "$etcdconf" ];then 103 etcd_ca=$(grep 'trusted-ca-file' $etcdconf | awk -F ":|: *" '{print $NF}'); 104 apiserver_ca=$(journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "trusted-ca-file" | awk -F "=" '{print $NF}') 105 if [ "$etcd_ca" == "$apiserver_ca" ]; then 106 echo 'etcd_and_apiserver_have_same_ca'; 107 else 108 echo 'etcd_and_apiserver_ca_not_same1' ; 109 fi 110 else 111 echo 'etcd_and_apiserver_ca_not_same'; return ; 112 fi 113 tests: 114 test_items: 115 - flag: "etcd_and_apiserver_ca_not_same" 116 remediation: | 117 By default, K3s uses a config file for etcd that can be found at $etcdconf 118 and the trusted-ca-file parameters in it are set to unique values specific to etcd. No manual remediation needed. 119 scored: false