Skip to content

Commit

Permalink
Overhaul of K3s scans (#1659)
Browse files Browse the repository at this point in the history 
* Overhaul K3s 1.X checks

Signed-off-by: Derek Nola <[email protected]>

* Overhaul K3s 2.X Checks

Signed-off-by: Derek Nola <[email protected]>

* Overhaul K3s 4.X checks

Signed-off-by: Derek Nola <[email protected]>

* Overhaul K3s 5.X checks

Signed-off-by: Derek Nola <[email protected]>

* Add K3s cis-1.8 scan

Signed-off-by: Derek Nola <[email protected]>

* Fix K3s 1.1.10 check

Signed-off-by: Derek Nola <[email protected]>

* Merge journalctl checks for K3s

Signed-off-by: Derek Nola <[email protected]>

* Matched Manual/Automated to correct scoring (false/true)

Signed-off-by: Derek Nola <[email protected]>

* Remove incorrect use of check_for_default_sa.sh script

Signed-off-by: Derek Nola <[email protected]>

---------

Signed-off-by: Derek Nola <[email protected]>
Co-authored-by: afdesk <[email protected]>
  • Loading branch information
@dereknola @afdesk
dereknola and afdesk authored Sep 25, 2024
1 parent f8b6f2f commit a9422a6
Show file tree
Hide file tree
Showing 25 changed files with 3,056 additions and 1,129 deletions.
8 changes: 6 additions & 2 deletions cfg/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,6 @@ node:
- "/var/snap/microk8s/current/credentials/kubelet.config"
- "/etc/kubernetes/kubeconfig-kubelet"
- "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"
- "/var/lib/rancher/k3s/server/cred/admin.kubeconfig"
- "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
confs:
- "/etc/kubernetes/kubelet-config.yaml"
Expand All @@ -190,7 +189,6 @@ node:
- "/etc/systemd/system/snap.kubelet.daemon.service"
- "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
- "/etc/kubernetes/kubelet.yaml"
- "/var/lib/rancher/rke2/agent/kubelet.kubeconfig"

defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
Expand Down Expand Up @@ -438,6 +436,12 @@ target_mapping:
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.8":
- "master"
- "etcd"
- "controlplane"
- "node"
- "policies"
"k3s-cis-1.23":
- "master"
- "etcd"
Expand Down
2 changes: 1 addition & 1 deletion cfg/k3s-cis-1.23/controlplane.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ groups:
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
type: "manual"
tests:
test_items:
Expand Down
72 changes: 36 additions & 36 deletions cfg/k3s-cis-1.23/master.yaml
View file

Large diffs are not rendered by default.

16 changes: 8 additions & 8 deletions cfg/k3s-cis-1.23/node.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ groups:
checks:
- id: 4.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
tests:
test_items:
- flag: "--anonymous-auth"
Expand All @@ -209,7 +209,7 @@ groups:

- id: 4.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' '
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' '
tests:
test_items:
- flag: --authorization-mode
Expand All @@ -231,7 +231,7 @@ groups:

- id: 4.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: '/bin/sh -c ''if test $(journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -D /var/log/journal -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
tests:
test_items:
- flag: --client-ca-file
Expand All @@ -251,7 +251,7 @@ groups:

- id: 4.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' "
audit: "journalctl -m -u k3s | grep 'Running kubelet' | tail -n1 | grep 'read-only-port' "
tests:
bin_op: or
test_items:
Expand All @@ -276,7 +276,7 @@ groups:

- id: 4.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'"
audit: "journalctl -m -u k3s | grep 'Running kubelet' | tail -n1 | grep 'streaming-connection-idle-timeout'"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
Expand All @@ -302,7 +302,7 @@ groups:

- id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'protect-kernel-defaults'"
audit: "journalctl -m -u k3s | grep 'Running kubelet' | tail -n1 | grep 'protect-kernel-defaults'"
type: "skip"
tests:
test_items:
Expand All @@ -325,7 +325,7 @@ groups:

- id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1 | grep 'make-iptables-util-chains'"
audit: "journalctl -m -u k3s | grep 'Running kubelet' | tail -n1 | grep 'make-iptables-util-chains'"
type: "skip"
tests:
test_items:
Expand Down Expand Up @@ -393,7 +393,7 @@ groups:

- id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kubelet' | tail -n1"
audit: "journalctl -m -u k3s | grep 'Running kubelet' | tail -n1"
tests:
test_items:
- flag: --tls-cert-file
Expand Down
54 changes: 32 additions & 22 deletions cfg/k3s-cis-1.24/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,33 +16,43 @@ master:
scheduler:
bins:
- containerd
kubeconfig:
- /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig

controllermanager:
bins:
- containerd
kubeconfig:
- /var/lib/rancher/k3s/server/cred/controller.kubeconfig


etcd:
bins:
- containerd
datadirs:
- /var/lib/rancher/k3s/server/db/etcd

node:
components:
- kubelet
- proxy

kubelet:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt

proxy:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig

policies:
components:
- policies

etcd:
components:
- etcd

etcd:
confs: /var/lib/rancher/k3s/server/db/etcd/config

node:
components:
- kubelet
- proxy

kubelet:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt

proxy:
bins:
- containerd
defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig

policies:
components:
- policies
2 changes: 1 addition & 1 deletion cfg/k3s-cis-1.24/controlplane.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ groups:
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Automated)"
audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'"
tests:
test_items:
- flag: "--audit-policy-file"
Expand Down
141 changes: 74 additions & 67 deletions cfg/k3s-cis-1.24/etcd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,128 +10,135 @@ groups:
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
audit_config: "cat $etcdconf"
tests:
bin_op: and
test_items:
- flag: "cert-file"
set: true
- flag: "key-file"
set: true
- path: "{.client-transport-security.cert-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt"
- path: "{.client-transport-security.key-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key"
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
scored: true
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s generates cert and key files for etcd.
These are located in /var/lib/rancher/k3s/server/tls/etcd/.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use custom cert and key files.
scored: false

- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "grep -A 4 'client-transport-security' $etcdconf | grep 'client-cert-auth'"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
- path: "{.client-transport-security.client-cert-auth}"
compare:
op: eq
value: true
set: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
scored: true
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s sets the --client-cert-auth parameter to true.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to disable client certificate authentication.
scored: false

- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "if grep -q '^auto-tls' $etcdconf;then grep '^auto-tls' $etcdconf;else echo 'notset';fi"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
set: false
- flag: "--auto-tls"
- path: "{.client-transport-security.auto-tls}"
compare:
op: eq
value: false
- path: "{.client-transport-security.auto-tls}"
set: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s does not set the --auto-tls parameter.
If this check fails, edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
scored: true
client-transport-security:
auto-tls: false
scored: false

- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'"
audit_config: "cat $etcdconf"
tests:
bin_op: and
test_items:
- flag: "cert-file"
set: true
- flag: "key-file"
set: true
- path: "{.peer-transport-security.cert-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt"
- path: "{.peer-transport-security.key-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key"
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
scored: true
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s generates peer cert and key files for etcd.
These are located in /var/lib/rancher/k3s/server/tls/etcd/.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use custom peer cert and key files.
scored: false

- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
- flag: "--client-cert-auth"
set: true
- flag: "client-cert-auth"
- path: "{.peer-transport-security.client-cert-auth}"
compare:
op: eq
value: true
set: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
scored: true
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s sets the --peer-cert-auth parameter to true.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to disable peer client certificate authentication.
scored: false

- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "if grep -q '^peer-auto-tls' $etcdconf;then grep '^peer-auto-tls' $etcdconf;else echo 'notset';fi"
audit_config: "cat $etcdconf"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
set: false
- flag: "--peer-auto-tls"
- path: "{.peer-transport-security.auto-tls}"
compare:
op: eq
value: false
set: true
- path: "{.peer-transport-security.auto-tls}"
set: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s does not set the --peer-auto-tls parameter.
If this check fails, edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
scored: true
peer-transport-security:
auto-tls: false
scored: false

- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Automated)"
audit: "if grep -q 'trusted-ca-file' $etcdconf;then grep 'trusted-ca-file' $etcdconf;else echo 'notset';fi"
audit_config: "cat $etcdconf"
tests:
test_items:
- flag: "trusted-ca-file"
set: true
- path: "{.peer-transport-security.trusted-ca-file}"
compare:
op: eq
value: "/var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt"
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
If running on with sqlite or a external DB, etcd checks are Not Applicable.
When running with embedded-etcd, K3s generates a unique certificate authority for etcd.
This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt.
If this check fails, ensure that the configuration file $etcdconf
has not been modified to use a shared certificate authority.
scored: false
Loading

0 comments on commit a9422a6

Please sign in to comment.