feat: support node-collector commands

Signed-off-by: chenk <[email protected]>

commands/kubelet_mapping_cfg.yaml

@@ -0,0 +1,16 @@
+## this file repesent node kubelet-config api mapping param to the collector config params
+## example kubectl get --raw "/api/v1/nodes/<node name>/proxy/configz"
+---
+kubeletAnonymousAuthArgumentSet: kubeletconfig.authentication.anonymous.enabled
+kubeletAuthorizationModeArgumentSet: kubeletconfig.authorization.mode
+kubeletClientCaFileArgumentSet: kubeletconfig.authentication.x509.clientCAFile
+kubeletReadOnlyPortArgumentSet: kubeletconfig.readOnlyPort
+kubeletStreamingConnectionIdleTimeoutArgumentSet: kubeletconfig.streamingConnectionIdleTimeout
+kubeletProtectKernelDefaultsArgumentSet: kubeletconfig.protectKernelDefaults
+kubeletMakeIptablesUtilChainsArgumentSet: kubeletconfig.makeIPTablesUtilChains
+kubeletEventQpsArgumentSet: kubeletconfig.eventRecordQPS",
+kubeletRotateKubeletServerCertificateArgumentSet: kubeletconfig.featureGates.RotateKubeletServerCertificate
+kubeletRotateCertificatesArgumentSet: kubeletconfig.rotateCertificates
+kubeletTlsCertFileTlsArgumentSet: kubeletconfig.tlsCertFile
+kubeletTlsPrivateKeyFileArgumentSet: kubeletconfig.tlsPrivateKeyFile
+kubeletOnlyUseStrongCryptographic: kubeletconfig.tlsCipherSuites

commands/kubernetes/adminConfFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0014
+  key: adminConfFileOwnership
+  title: admin.conf file ownership
+  nodeType: master
+  audit: stat -c %U:%G /etc/kubernetes/admin.conf
+  platforms:
+    - k8s

commands/kubernetes/adminConfFilePermissions_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0013
+  key: adminConfFilePermissions
+  title: admin.conf file permissions
+  nodeType: master
+  audit: stat -c %a /etc/kubernetes/admin.conf
+  platforms:
+    - k8s

commands/kubernetes/certificateAuthoritiesFileOwnership_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0029
+  key: certificateAuthoritiesFileOwnership
+  title: Client certificate authorities file ownership
+  nodeType: worker
+  audit: stat -c %U:%G $(ps -ef | grep $kubelet.bins |grep 'client-ca-file' | grep
+    -o 'client-ca-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1') 2>
+    /dev/null
+  platforms:
+    - k8s

commands/kubernetes/certificateAuthoritiesFilePermissions_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0028
+  key: certificateAuthoritiesFilePermissions
+  title: Client certificate authorities file permissions
+  nodeType: worker
+  audit: stat -c %a $(ps -ef | grep kubelet |grep 'client-ca-file' | grep -o
+    'client-ca-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1') 2>
+    /dev/null
+  platforms:
+    - k8s

commands/kubernetes/containerNetworkInterfaceFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0010
+  key: containerNetworkInterfaceFileOwnership
+  title: Container Network Interface file ownership
+  nodeType: master
+  audit: stat -c %U:%G /*/cni/*
+  platforms:
+    - k8s

commands/kubernetes/containerNetworkInterfaceFilePermissions_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0009
+  key: containerNetworkInterfaceFilePermissions
+  title: Container Network Interface file permissions
+  nodeType: master
+  audit: stat -c %a /*/cni/*
+  platforms:
+    - k8s

commands/kubernetes/controllerManagerConfFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0018
+  key: controllerManagerConfFileOwnership
+  title: controller-manager.conf file ownership
+  nodeType: master
+  audit: stat -c %U:%G $controllermanager.kubeconfig
+  platforms:
+    - k8s

commands/kubernetes/controllerManagerConfFilePermissions_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0017
+  key: controllerManagerConfFilePermissions
+  title: controller-manager.conf file permissions
+  nodeType: master
+  audit: stat -c %a $controllermanager.kubeconfig
+  platforms:
+    - k8s

commands/kubernetes/etcdDataDirectoryOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0012
+  key: etcdDataDirectoryOwnership
+  title: Etcd data directory Ownership
+  nodeType: master
+  audit: stat -c %U:%G $etcd.datadirs
+  platforms:
+    - k8s

commands/kubernetes/etcdDataDirectoryPermissions_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0011
+  key: etcdDataDirectoryPermissions
+  title: Etcd data directory permissions
+  nodeType: master
+  audit: stat -c %a $etcd.datadirs
+  platforms:
+    - k8s

commands/kubernetes/kubeAPIServerSpecFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0002
+  key: kubeAPIServerSpecFileOwnership
+  title: API server pod specification file ownership
+  nodeType: master
+  audit: stat -c %U:%G $apiserver.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeAPIServerSpecFilePermission_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0001
+  key: kubeAPIServerSpecFilePermission
+  title: API server pod specification file permissions
+  nodeType: master
+  audit: stat -c %a $apiserver.confs
+  platforms:
+    - k8s
+

commands/kubernetes/kubeControllerManagerSpecFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0004
+  key: kubeControllerManagerSpecFileOwnership
+  title: Controller manager pod specification file ownership is set to root:root
+  nodeType: master
+  audit: stat -c %U:%G $controllermanager.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeControllerManagerSpecFilePermission_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0003
+  key: kubeControllerManagerSpecFilePermission
+  title: Controller manager pod specification file permissions
+  nodeType: master
+  audit: stat -c %a $controllermanager.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeEtcdSpecFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0008
+  key: kubeEtcdSpecFileOwnership
+  title: Etcd pod specification file ownership
+  nodeType: master
+  audit: stat -c %U:%G $etcd.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeEtcdSpecFilePermission_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0007
+  key: kubeEtcdSpecFilePermission
+  title: Etcd pod specification file permissions
+  nodeType: master
+  audit: stat -c %a $etcd.confs
+  platforms:
+    - k8s

commands/kubernetes/kubePKIDirectoryFileOwnership_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0019
+  key: kubePKIDirectoryFileOwnership
+  title: Kubernetes PKI directory and file ownership
+  nodeType: master
+  audit: stat -c %U:%G $(ls -R $kubelet.cafile | awk
+    '/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0 }')
+  platforms:
+    - k8s

commands/kubernetes/kubePKIKeyFilePermissions_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0021
+  key: kubePKIKeyFilePermissions
+  title: Kubernetes PKI certificate file permissions
+  nodeType: master
+  audit: stat -c %a $(ls -aR $kubelet.cafile | awk
+    '/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0}' |
+    grep \.key$)
+  platforms:
+    - k8s

commands/kubernetes/kubeSchedulerSpecFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0006
+  key: kubeSchedulerSpecFileOwnership
+  title: Scheduler pod specification file ownership
+  nodeType: master
+  audit: stat -c %U:%G $scheduler.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeSchedulerSpecFilePermission_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0005
+  key: kubeSchedulerSpecFilePermission
+  title: Scheduler pod specification file permissions
+  nodeType: master
+  audit: stat -c %a $scheduler.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeconfigFileExistsOwnership_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0025
+  key: kubeconfigFileExistsOwnership
+  title: Kubeconfig file exists ensure ownership
+  nodeType: worker
+  audit: output=`stat -c %U:%G $(ps -ef | grep $proxy.bins |grep 'kubeconfig' |
+    grep -o 'kubeconfig=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1')
+    2>/dev/null` || echo $output
+  platforms:
+    - k8s

commands/kubernetes/kubeconfigFileExistsPermissions_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0024
+  key: kubeconfigFileExistsPermissions
+  title: Kubeconfig file exists ensure permissions
+  nodeType: worker
+  audit: output=`stat -c %a $(ps -ef | grep $proxy.bins |grep 'kubeconfig' | grep
+    -o 'kubeconfig=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1')
+    2>/dev/null` || echo $output
+  platforms:
+    - k8s

commands/kubernetes/kubeletAnonymousAuthArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0032
+  key: kubeletAnonymousAuthArgumentSet
+  title: kubelet --anonymous-auth argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --anonymous-auth' | grep -o '
+    --anonymous-auth=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletAuthorizationModeArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0033
+  key: kubeletAuthorizationModeArgumentSet
+  title: kubelet --authorization-mode argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --authorization-mode' | grep -o '
+    --authorization-mode=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletClientCaFileArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0034
+  key: kubeletClientCaFileArgumentSet
+  title: kubelet --client-ca-file argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --client-ca-file' | grep -o '
+    --client-ca-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletConfFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0027
+  key: kubeletConfFileOwnership
+  title: kubelet.conf file ownership
+  nodeType: worker
+  audit: stat -c %U:%G $kubelet.kubeconfig
+  platforms:
+    - k8s

commands/kubernetes/kubeletConfFilePermissions_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0026
+  key: kubeletConfFilePermissions
+  title: kubelet.conf file permissions
+  nodeType: worker
+  audit: stat -c %a $kubelet.kubeconfig
+  platforms:
+    - k8s

commands/kubernetes/kubeletConfigYamlConfigurationFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0031
+  key: kubeletConfigYamlConfigurationFileOwnership
+  title: kubelet config.yaml configuration file ownership
+  nodeType: worker
+  audit: stat -c %U:%G $kubelet.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeletConfigYamlConfigurationFilePermission_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0030
+  key: kubeletConfigYamlConfigurationFilePermission
+  title: kubelet config.yaml configuration file permissions
+  nodeType: worker
+  audit: stat -c %a $kubelet.confs
+  platforms:
+    - k8s

commands/kubernetes/kubeletEventQpsArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0040
+  key: kubeletEventQpsArgumentSet
+  title: kubelet --event-qps argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --event-qps' | grep -o '
+    --event-qps=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletHostnameOverrideArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0039
+  key: kubeletHostnameOverrideArgumentSet
+  title: kubelet hostname-override argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --hostname-override' | grep -o '
+    --hostname-override=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletMakeIptablesUtilChainsArgumentSet_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0038
+  key: kubeletMakeIptablesUtilChainsArgumentSet
+  title: kubelet --make-iptables-util-chains argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --make-iptables-util-chains' | grep
+    -o ' --make-iptables-util-chains=[^"]\S*' | awk -F "=" '{print $2}' |awk
+    'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletOnlyUseStrongCryptographic_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0045
+  key: kubeletOnlyUseStrongCryptographic
+  title: Kubelet only makes use of Strong Cryptographic
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep 'TLSCipherSuites' | grep -o
+    'TLSCipherSuites=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletProtectKernelDefaultsArgumentSet_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0037
+  key: kubeletProtectKernelDefaultsArgumentSet
+  title: kubelet --protect-kernel-defaults argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --protect-kernel-defaults' | grep -o
+    ' --protect-kernel-defaults=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <=
+    1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletReadOnlyPortArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0035
+  key: kubeletReadOnlyPortArgumentSet
+  title: kubelet --read-only-port argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --read-only-port' | grep -o '
+    --read-only-port=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletRotateCertificatesArgumentSet_cmd.yaml

@@ -0,0 +1,9 @@
+---
+- id: CMD-0043
+  key: kubeletRotateCertificatesArgumentSet
+  title: kubelet --rotate-certificates argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep ' --rotate-certificates' | grep -o '
+    --rotate-certificates=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletRotateKubeletServerCertificateArgumentSet_cmd.yaml

@@ -0,0 +1,10 @@
+---
+- id: CMD-0044
+  key: kubeletRotateKubeletServerCertificateArgumentSet
+  title: kubelet RotateKubeletServerCertificate argument is set
+  nodeType: worker
+  audit: ps -ef | grep $kubelet.bins |grep 'RotateKubeletServerCertificate' | grep
+    -o 'RotateKubeletServerCertificate=[^"]\S*' | awk -F "=" '{print $2}' |awk
+    'FNR <= 1'
+  platforms:
+    - k8s

commands/kubernetes/kubeletServiceFileOwnership_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0023
+  key: kubeletServiceFileOwnership
+  title: Kubelet service file ownership
+  nodeType: worker
+  audit: stat -c %U:%G $kubelet.svc
+  platforms:
+    - k8s

commands/kubernetes/kubeletServiceFilePermissions_cmd.yaml

@@ -0,0 +1,8 @@
+---
+- id: CMD-0022
+  key: kubeletServiceFilePermissions
+  title: Kubelet service file permissions
+  nodeType: worker
+  audit: stat -c %a $kubelet.svc
+  platforms:
+    - k8s