github/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2026-02-14 10:00:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Checks of rke2-1.8 (#2010)

Browse Source 
* fix: Checks of rke2-1.8

* fix the check 1.1.7 and 1.1.8 in all rke2 versions

* fix the mentioned issues

* fix the check 1.1.11

---------
This commit is contained in:
LaibaBareera
2025-12-22 13:00:43 +05:00
committed by GitHub
parent 60eb8104ad
commit 462a50341a
9 changed files with 69 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
cfg/rke2-cis-1.23/master.yaml
View File

@@ -99,12 +99,13 @@ groups:
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: |
/bin/sh -c 'if [ -d "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" -exec stat -c "permissions=%a" {} +
else
echo "Directory not found"
fi'
use_multiple_values: true
/bin/sh -c '
if [ -e "$etcdconf" ]; then
stat -c "permissions=%a %n" "$etcdconf"
else
echo "Directory not found"
fi
'
tests:
bin_op: or
test_items:
@@ -122,11 +123,13 @@ groups:
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
audit: |
/bin/sh -c 'if [ -d "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} +
else
echo "Directory not found"
fi'
/bin/sh -c '
if [ -e $etcdconf ]; then
stat -c "ownership=%U:%G %n" $etcdconf
else
echo "Directory not found"
fi
'
tests:
bin_op: or
test_items:

25
cfg/rke2-cis-1.24/master.yaml
View File

@@ -99,12 +99,13 @@ groups:
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: |
/bin/sh -c 'if [ -d "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" -exec stat -c "permissions=%a" {} +
else
echo "Directory not found"
fi'
use_multiple_values: true
/bin/sh -c '
if [ -e "$etcdconf" ]; then
stat -c "permissions=%a %n" "$etcdconf"
else
echo "Directory not found"
fi
'
tests:
bin_op: or
test_items:
@@ -122,11 +123,13 @@ groups:
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
audit: |
/bin/sh -c 'if [ -d "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} +
else
echo "Directory not found"
fi'
/bin/sh -c '
if [ -e $etcdconf ]; then
stat -c "ownership=%U:%G %n" $etcdconf
else
echo "Directory not found"
fi
'
tests:
bin_op: or
test_items:

26
cfg/rke2-cis-1.7/master.yaml
View File

@@ -99,13 +99,13 @@ groups:
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"
audit: |
/bin/sh -c 'if [ -d "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" \
-exec stat -c "permissions=%a %n" {} +
else
echo "Directory not found"
fi'
use_multiple_values: true
/bin/sh -c '
if [ -e "$etcdconf" ]; then
stat -c "permissions=%a %n" "$etcdconf"
else
echo "Directory not found"
fi
'
tests:
bin_op: or
test_items:
@@ -125,11 +125,13 @@ groups:
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
audit: |
/bin/sh -c 'if [ -d "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} +
else
echo "Directory not found"
fi'
/bin/sh -c '
if [ -e $etcdconf ]; then
stat -c "ownership=%U:%G %n" $etcdconf
else
echo "Directory not found"
fi
'
tests:
bin_op: or
test_items:

20
cfg/rke2-cis-1.8/config.yaml
View File

@@ -1,22 +1,2 @@
---
## Version-specific settings that override the values in cfg/config.yaml
master:
components:
- apiserver
- kubelet
- scheduler
- controllermanager
- etcd
- policies
kubelet:
bins:
- kubelet
node:
kubelet:
defaultkubeconfig: "/node/etc/kubernetes/ssl/kubecfg-kube-node.yaml"
defaultcafile: "/node/etc/kubernetes/ssl/kube-ca.pem"
bins:
- kubelet
proxy:
defaultkubeconfig: "/node/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml"

2
cfg/rke2-cis-1.8/controlplane.yaml
View File

@@ -1,6 +1,6 @@
---
controls:
version: "cis-1.8"
version: "rke2-cis-1.8"
id: 3
text: "Control Plane Configuration"
type: "controlplane"

5
cfg/rke2-cis-1.8/etcd.yaml
View File

@@ -1,13 +1,10 @@
---
controls:
version: "cis-1.8"
version: "rke2-cis-1.8"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 1.1
text: "Control Plane Node Configuration Files"
checks:
- id: 2
text: "Etcd Node Configuration"
checks:

42
cfg/rke2-cis-1.8/master.yaml
View File

@@ -1,6 +1,6 @@
---
controls:
version: "cis-1.8"
version: "rke2-cis-1.8"
id: 1
text: "Control Plane Security Configuration"
type: "master"
@@ -98,15 +98,14 @@ groups:
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"
audit: |
/bin/sh -c 'if [ -e "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" \
-exec stat -c "permissions=%a %n" {} +
/bin/sh -c '
if [ -e "$etcdconf" ]; then
stat -c "permissions=%a %n" "$etcdconf"
else
echo "Directory not found"
fi'
use_multiple_values: true
fi
'
tests:
bin_op: or
test_items:
@@ -126,16 +125,21 @@ groups:
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
audit: |
/bin/sh -c 'if [ -e "$etcdconf" ]; then
find "$etcdconf" -type f -name "*etcd*" -exec stat -c "%U:%G %n" {} +
/bin/sh -c '
if [ -e "$etcdconf" ]; then
stat -c "ownership=%U:%G %n" "$etcdconf"
else
echo "Directory not found"
fi'
use_multiple_values: true
fi
'
tests:
bin_op: or
test_items:
- flag: "root:root"
- flag: "ownership"
compare:
op: eq
value: "root:root"
set: true
- flag: "Directory not found"
set: true
remediation: |
@@ -181,20 +185,20 @@ groups:
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
/bin/sh -c 'if [ -e "/node/var/lib/etcd" ]; then
stat -c "%a" "/node/var/lib/etcd"
/bin/sh -c 'if [ -e "/var/lib/rancher/rke2/server/db/etcd" ]; then
stat -c "permissions=%a %n" "/var/lib/rancher/rke2/server/db/etcd"
else
echo "Directory not found: /node/var/lib/etcd"
echo "Directory not found: /var/lib/rancher/rke2/server/db/etcd"
fi'
tests:
bin_op: or
test_items:
- flag: "700"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "700"
set: true
- flag: "Directory not found: /node/var/lib/etcd"
- flag: "Directory not found: /var/lib/rancher/rke2/server/db/etcd"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
@@ -204,7 +208,7 @@ groups:
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: "stat -c %U:%G /node/var/lib/etcd"
audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd"
tests:
test_items:
- flag: "etcd:etcd"

2
cfg/rke2-cis-1.8/node.yaml
View File

@@ -1,6 +1,6 @@
---
controls:
version: "cis-1.8"
version: "rke2-cis-1.8"
id: 4
text: "Worker Node Security Configuration"
type: "node"

2
cfg/rke2-cis-1.8/policies.yaml
View File

@@ -1,6 +1,6 @@
---
controls:
version: "cis-1.8"
version: "rke2-cis-1.8"
id: 5
text: "Kubernetes Policies"
type: "policies"