github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rh-1.0/etcd.yaml (about) 1 --- 2 controls: 3 version: rh-1.0 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration Files" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Manual)" 13 audit: | 14 # For --cert-file 15 for i in $(oc get pods -oname -n openshift-etcd) 16 do 17 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/' 18 done 2>/dev/null 19 # For --key-file 20 for i in $(oc get pods -oname -n openshift-etcd) 21 do 22 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/' 23 done 2>/dev/null 24 use_multiple_values: true 25 tests: 26 test_items: 27 - flag: "file" 28 compare: 29 op: regex 30 value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-serving\/etcd-serving-.*\.(?:crt|key)' 31 remediation: | 32 OpenShift does not use the etcd-certfile or etcd-keyfile flags. 33 Certificates for etcd are managed by the etcd cluster operator. 34 scored: false 35 36 - id: 2.2 37 text: "Ensure that the --client-cert-auth argument is set to true (Manual)" 38 audit: | 39 for i in $(oc get pods -oname -n openshift-etcd) 40 do 41 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/' 42 done 2>/dev/null 43 use_multiple_values: true 44 tests: 45 test_items: 46 - flag: "--client-cert-auth" 47 compare: 48 op: eq 49 value: true 50 remediation: | 51 This setting is managed by the cluster etcd operator. No remediation required." 52 scored: false 53 54 - id: 2.3 55 text: "Ensure that the --auto-tls argument is not set to true (Manual)" 56 audit: | 57 # Returns 0 if found, 1 if not found 58 for i in $(oc get pods -oname -n openshift-etcd) 59 do 60 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>/dev/null ; echo exit_code=$? 61 done 2>/dev/null 62 use_multiple_values: true 63 tests: 64 test_items: 65 - flag: "exit_code" 66 compare: 67 op: eq 68 value: "1" 69 remediation: | 70 This setting is managed by the cluster etcd operator. No remediation required.e 71 scored: false 72 73 - id: 2.4 74 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Manual)" 75 audit: | 76 # For --peer-cert-file 77 for i in $(oc get pods -oname -n openshift-etcd) 78 do 79 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/' 80 done 2>/dev/null 81 # For --peer-key-file 82 for i in $(oc get pods -oname -n openshift-etcd) 83 do 84 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/' 85 done 2>/dev/null 86 use_multiple_values: true 87 tests: 88 test_items: 89 - flag: "file" 90 compare: 91 op: regex 92 value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-peer\/etcd-peer-.*\.(?:crt|key)' 93 remediation: | 94 None. This configuration is managed by the etcd operator. 95 scored: false 96 97 - id: 2.5 98 text: "Ensure that the --peer-client-cert-auth argument is set to true (Manual)" 99 audit: | 100 for i in $(oc get pods -oname -n openshift-etcd) 101 do 102 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/' 103 done 2>/dev/null 104 use_multiple_values: true 105 tests: 106 test_items: 107 - flag: "--peer-client-cert-auth" 108 compare: 109 op: eq 110 value: true 111 remediation: | 112 This setting is managed by the cluster etcd operator. No remediation required. 113 scored: false 114 115 - id: 2.6 116 text: "Ensure that the --peer-auto-tls argument is not set to true (Manual)" 117 audit: | 118 # Returns 0 if found, 1 if not found 119 for i in $(oc get pods -oname -n openshift-etcd) 120 do 121 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>/dev/null ; echo exit_code=$? 122 done 2>/dev/null 123 use_multiple_values: true 124 tests: 125 test_items: 126 - flag: "exit_code" 127 compare: 128 op: eq 129 value: "1" 130 remediation: | 131 This setting is managed by the cluster etcd operator. No remediation required. 132 scored: false 133 134 - id: 2.7 135 text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" 136 audit: | 137 for i in $(oc get pods -oname -n openshift-etcd) 138 do 139 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/' 140 done 2>/dev/null 141 for i in $(oc get pods -oname -n openshift-etcd) 142 do 143 oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/' 144 done 2>/dev/null 145 use_multiple_values: true 146 tests: 147 test_items: 148 - flag: "file" 149 compare: 150 op: regex 151 value: '\/etc\/kubernetes\/static-pod-certs\/configmaps\/etcd-(?:serving|peer-client)-ca\/ca-bundle\.(?:crt|key)' 152 remediation: | 153 None required. Certificates for etcd are managed by the OpenShift cluster etcd operator. 154 scored: false