Skip to content

Commit

Permalink
feat: rke2 cis spec support
Browse files Browse the repository at this point in the history 
Signed-off-by: chenk <[email protected]>
  • Loading branch information
@chen-keinan
chen-keinan committed Jun 13, 2024
1 parent f13fa71 commit 924ddef
Show file tree
Hide file tree
Showing 46 changed files with 91 additions and 5 deletions.
1 change: 1 addition & 0 deletions commands/kubernetes/adminConfFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G /etc/kubernetes/admin.conf
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/adminConfFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a /etc/kubernetes/admin.conf
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/certificateAuthoritiesFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
/dev/null
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/certificateAuthoritiesFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
/dev/null
platforms:
- k8s
- rke2
2 changes: 2 additions & 0 deletions commands/kubernetes/containerNetworkInterfaceFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@
audit: stat -c %U:%G /*/cni/*
platforms:
- k8s
- rke2

1 change: 1 addition & 0 deletions commands/kubernetes/containerNetworkInterfaceFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a /*/cni/*
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/controllerManagerConfFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $controllermanager.kubeconfig
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/controllerManagerConfFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $controllermanager.kubeconfig
platforms:
- k8s
- rke2
8 changes: 8 additions & 0 deletions commands/kubernetes/etcdDataDirectoryOwnershipRancher.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
- id: CMD-0046
key: etcdDataDirectoryOwnership
title: Etcd data directory Ownership
nodeType: master
audit: stat -c %U:%G /node/var/lib/etcd
platforms:
- rke2
8 changes: 8 additions & 0 deletions commands/kubernetes/etcdDataDirectoryPermissionsRancher.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
- id: CMD-0047
key: etcdDataDirectoryPermissions
title: Etcd data directory permissions
nodeType: master
audit: stat -c %a /node/var/lib/etcd
platforms:
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeAPIServerSpecFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $apiserver.confs
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeAPIServerSpecFilePermission.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@
audit: stat -c %a $apiserver.confs
platforms:
- k8s
- rke2

1 change: 1 addition & 0 deletions commands/kubernetes/kubeControllerManagerSpecFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $controllermanager.confs
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeControllerManagerSpecFilePermission.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $controllermanager.confs
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeEtcdSpecFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $etcd.confs
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeEtcdSpecFilePermission.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $etcd.confs
platforms:
- k8s
- rke2
9 changes: 9 additions & 0 deletions commands/kubernetes/kubePKIDirectoryFileOwnershipRancher.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
- id: CMD-0048
key: kubePKIDirectoryFileOwnership
title: Kubernetes PKI directory and file ownership
nodeType: master
audit: stat -c %U:%G $(ls -R /node/etc/kubernetes/ssl | awk
'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0 }')
platforms:
- rke2
10 changes: 10 additions & 0 deletions commands/kubernetes/kubePKIKeyFilePermissionsRancher.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
- id: CMD-0050
key: kubePKIKeyFilePermissions
title: Kubernetes PKI certificate file permissions
nodeType: master
audit: stat -c %a $(ls -aR /node/etc/kubernetes/ssl | awk
'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0}' |
grep \.key$)
platforms:
- rke
1 change: 1 addition & 0 deletions commands/kubernetes/kubeSchedulerSpecFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $scheduler.confs
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeSchedulerSpecFilePermission.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $scheduler.confs
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeconfigFileExistsOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
2>/dev/null` || echo $output
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeconfigFileExistsPermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
2>/dev/null` || echo $output
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletAnonymousAuthArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletAuthorizationModeArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
--authorization-mode=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletClientCaFileArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletConfFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $kubelet.kubeconfig
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletConfFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $kubelet.kubeconfig
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletConfigYamlConfigurationFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletConfigYamlConfigurationFilePermission.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletEventQpsArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
--event-qps=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletHostnameOverrideArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
--hostname-override=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletMakeIptablesUtilChainsArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletOnlyUseStrongCryptographic.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
'TLSCipherSuites=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletProtectKernelDefaultsArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
1'
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletReadOnlyPortArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletRotateCertificatesArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletRotateKubeletServerCertificateArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletServiceFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletServiceFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $kubelet.svc
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletStreamingConnectionIdleTimeoutArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@
platforms:
- k8s
- eks
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletTlsCertFileTlsArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
--tls-cert-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/kubeletTlsPrivateKeyFileArgumentSet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
--tls-private-key-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
platforms:
- k8s
- rke2
10 changes: 10 additions & 0 deletions commands/kubernetes/kubernetesPKICertificateFilePermissionsRancher.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
- id: CMD-0049
key: kubernetesPKICertificateFilePermissions
title: Kubernetes PKI certificate file permissions
nodeType: master
audit: stat -c %a $(ls -aR /node/etc/kubernetes/ssl |
awk'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print
s"/"$0}' | grep \.crt$)
platforms:
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/schedulerConfFileOwnership.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %U:%G $scheduler.kubeconfig
platforms:
- k8s
- rke2
1 change: 1 addition & 0 deletions commands/kubernetes/schedulerConfFilePermissions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
audit: stat -c %a $scheduler.kubeconfig
platforms:
- k8s
- rke2
10 changes: 5 additions & 5 deletions specs/compliance/rke2-cis-1.24.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,15 +114,15 @@ spec:
checks:
- id: AVD-KCV-0058
commands:
- id: CMD-0011
- id: CMD-0047
severity: HIGH
- id: 1.1.12
name: Ensure that the etcd data directory ownership is set to etcd:etcd
description: Ensure that the etcd data directory ownership is set to etcd:etcd
checks:
- id: AVD-KCV-0059
commands:
- id: CMD-0012
- id: CMD-0046
severity: LOW
- id: 1.1.13
name: Ensure that the admin.conf file permissions are set to 600
Expand Down Expand Up @@ -185,7 +185,7 @@ spec:
checks:
- id: AVD-KCV-0066
commands:
- id: CMD-0019
- id: CMD-0048
severity: CRITICAL
- id: 1.1.20
name: Ensure that the Kubernetes PKI certificate file permissions are set to 600
Expand All @@ -195,15 +195,15 @@ spec:
checks:
- id: AVD-KCV-0068
commands:
- id: CMD-0020
- id: CMD-0049
severity: CRITICAL
- id: 1.1.21
name: Ensure that the Kubernetes PKI key file permissions are set to 600
description: Ensure that Kubernetes PKI key files have permissions of 600
checks:
- id: AVD-KCV-0067
commands:
- id: CMD-0021
- id: CMD-0050
severity: CRITICAL
- id: 1.2.1
name: Ensure that the --anonymous-auth argument is set to false
Expand Down

0 comments on commit 924ddef

Please sign in to comment.