From 462a50341abe1160214d140bb164c23a67112548 Mon Sep 17 00:00:00 2001 From: LaibaBareera <89480808+LaibaBareera@users.noreply.github.com> Date: Mon, 22 Dec 2025 13:00:43 +0500 Subject: [PATCH] fix: Checks of rke2-1.8 (#2010) * fix: Checks of rke2-1.8 * fix the check 1.1.7 and 1.1.8 in all rke2 versions * fix the mentioned issues * fix the check 1.1.11 --------- --- cfg/rke2-cis-1.23/master.yaml | 25 ++++++++++-------- cfg/rke2-cis-1.24/master.yaml | 25 ++++++++++-------- cfg/rke2-cis-1.7/master.yaml | 26 +++++++++--------- cfg/rke2-cis-1.8/config.yaml | 20 -------------- cfg/rke2-cis-1.8/controlplane.yaml | 2 +- cfg/rke2-cis-1.8/etcd.yaml | 5 +--- cfg/rke2-cis-1.8/master.yaml | 42 ++++++++++++++++-------------- cfg/rke2-cis-1.8/node.yaml | 2 +- cfg/rke2-cis-1.8/policies.yaml | 2 +- 9 files changed, 69 insertions(+), 80 deletions(-) diff --git a/cfg/rke2-cis-1.23/master.yaml b/cfg/rke2-cis-1.23/master.yaml index a339f3ab..0995f53e 100644 --- a/cfg/rke2-cis-1.23/master.yaml +++ b/cfg/rke2-cis-1.23/master.yaml @@ -99,12 +99,13 @@ groups: - id: 1.1.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" audit: | - /bin/sh -c 'if [ -d "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" -exec stat -c "permissions=%a" {} + - else - echo "Directory not found" - fi' - use_multiple_values: true + /bin/sh -c ' + if [ -e "$etcdconf" ]; then + stat -c "permissions=%a %n" "$etcdconf" + else + echo "Directory not found" + fi + ' tests: bin_op: or test_items: @@ -122,11 +123,13 @@ groups: - id: 1.1.8 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" audit: | - /bin/sh -c 'if [ -d "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} + - else - echo "Directory not found" - fi' + /bin/sh -c ' + if [ -e $etcdconf ]; then + stat -c "ownership=%U:%G %n" $etcdconf + else + echo "Directory not found" + fi + ' tests: bin_op: or test_items: diff --git a/cfg/rke2-cis-1.24/master.yaml b/cfg/rke2-cis-1.24/master.yaml index 455e735d..0473eff0 100644 --- a/cfg/rke2-cis-1.24/master.yaml +++ b/cfg/rke2-cis-1.24/master.yaml @@ -99,12 +99,13 @@ groups: - id: 1.1.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" audit: | - /bin/sh -c 'if [ -d "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" -exec stat -c "permissions=%a" {} + - else - echo "Directory not found" - fi' - use_multiple_values: true + /bin/sh -c ' + if [ -e "$etcdconf" ]; then + stat -c "permissions=%a %n" "$etcdconf" + else + echo "Directory not found" + fi + ' tests: bin_op: or test_items: @@ -122,11 +123,13 @@ groups: - id: 1.1.8 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" audit: | - /bin/sh -c 'if [ -d "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} + - else - echo "Directory not found" - fi' + /bin/sh -c ' + if [ -e $etcdconf ]; then + stat -c "ownership=%U:%G %n" $etcdconf + else + echo "Directory not found" + fi + ' tests: bin_op: or test_items: diff --git a/cfg/rke2-cis-1.7/master.yaml b/cfg/rke2-cis-1.7/master.yaml index c3c4b9f1..fe15b7bb 100644 --- a/cfg/rke2-cis-1.7/master.yaml +++ b/cfg/rke2-cis-1.7/master.yaml @@ -99,13 +99,13 @@ groups: - id: 1.1.7 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" audit: | - /bin/sh -c 'if [ -d "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" \ - -exec stat -c "permissions=%a %n" {} + - else - echo "Directory not found" - fi' - use_multiple_values: true + /bin/sh -c ' + if [ -e "$etcdconf" ]; then + stat -c "permissions=%a %n" "$etcdconf" + else + echo "Directory not found" + fi + ' tests: bin_op: or test_items: @@ -125,11 +125,13 @@ groups: - id: 1.1.8 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" audit: | - /bin/sh -c 'if [ -d "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" -exec stat -c "ownership=%U:%G %n" {} + - else - echo "Directory not found" - fi' + /bin/sh -c ' + if [ -e $etcdconf ]; then + stat -c "ownership=%U:%G %n" $etcdconf + else + echo "Directory not found" + fi + ' tests: bin_op: or test_items: diff --git a/cfg/rke2-cis-1.8/config.yaml b/cfg/rke2-cis-1.8/config.yaml index 98a14855..b7839455 100644 --- a/cfg/rke2-cis-1.8/config.yaml +++ b/cfg/rke2-cis-1.8/config.yaml @@ -1,22 +1,2 @@ --- ## Version-specific settings that override the values in cfg/config.yaml - -master: - components: - - apiserver - - kubelet - - scheduler - - controllermanager - - etcd - - policies - kubelet: - bins: - - kubelet -node: - kubelet: - defaultkubeconfig: "/node/etc/kubernetes/ssl/kubecfg-kube-node.yaml" - defaultcafile: "/node/etc/kubernetes/ssl/kube-ca.pem" - bins: - - kubelet - proxy: - defaultkubeconfig: "/node/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" diff --git a/cfg/rke2-cis-1.8/controlplane.yaml b/cfg/rke2-cis-1.8/controlplane.yaml index 61801ffb..a5b1d1de 100644 --- a/cfg/rke2-cis-1.8/controlplane.yaml +++ b/cfg/rke2-cis-1.8/controlplane.yaml @@ -1,6 +1,6 @@ --- controls: -version: "cis-1.8" +version: "rke2-cis-1.8" id: 3 text: "Control Plane Configuration" type: "controlplane" diff --git a/cfg/rke2-cis-1.8/etcd.yaml b/cfg/rke2-cis-1.8/etcd.yaml index 6d9e017f..693e8abf 100644 --- a/cfg/rke2-cis-1.8/etcd.yaml +++ b/cfg/rke2-cis-1.8/etcd.yaml @@ -1,13 +1,10 @@ --- controls: -version: "cis-1.8" +version: "rke2-cis-1.8" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - - id: 1.1 - text: "Control Plane Node Configuration Files" - checks: - id: 2 text: "Etcd Node Configuration" checks: diff --git a/cfg/rke2-cis-1.8/master.yaml b/cfg/rke2-cis-1.8/master.yaml index 36d3bfa1..265ae01a 100644 --- a/cfg/rke2-cis-1.8/master.yaml +++ b/cfg/rke2-cis-1.8/master.yaml @@ -1,6 +1,6 @@ --- controls: -version: "cis-1.8" +version: "rke2-cis-1.8" id: 1 text: "Control Plane Security Configuration" type: "master" @@ -98,15 +98,14 @@ groups: - id: 1.1.7 text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)" - audit: | - /bin/sh -c 'if [ -e "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" \ - -exec stat -c "permissions=%a %n" {} + + /bin/sh -c ' + if [ -e "$etcdconf" ]; then + stat -c "permissions=%a %n" "$etcdconf" else echo "Directory not found" - fi' - use_multiple_values: true + fi + ' tests: bin_op: or test_items: @@ -126,16 +125,21 @@ groups: - id: 1.1.8 text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)" audit: | - /bin/sh -c 'if [ -e "$etcdconf" ]; then - find "$etcdconf" -type f -name "*etcd*" -exec stat -c "%U:%G %n" {} + + /bin/sh -c ' + if [ -e "$etcdconf" ]; then + stat -c "ownership=%U:%G %n" "$etcdconf" else echo "Directory not found" - fi' - use_multiple_values: true + fi + ' tests: bin_op: or test_items: - - flag: "root:root" + - flag: "ownership" + compare: + op: eq + value: "root:root" + set: true - flag: "Directory not found" set: true remediation: | @@ -181,20 +185,20 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" audit: | - /bin/sh -c 'if [ -e "/node/var/lib/etcd" ]; then - stat -c "%a" "/node/var/lib/etcd" + /bin/sh -c 'if [ -e "/var/lib/rancher/rke2/server/db/etcd" ]; then + stat -c "permissions=%a %n" "/var/lib/rancher/rke2/server/db/etcd" else - echo "Directory not found: /node/var/lib/etcd" + echo "Directory not found: /var/lib/rancher/rke2/server/db/etcd" fi' tests: bin_op: or test_items: - - flag: "700" + - flag: "permissions" compare: - op: eq + op: bitmask value: "700" set: true - - flag: "Directory not found: /node/var/lib/etcd" + - flag: "Directory not found: /var/lib/rancher/rke2/server/db/etcd" remediation: | On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. @@ -204,7 +208,7 @@ groups: - id: 1.1.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - audit: "stat -c %U:%G /node/var/lib/etcd" + audit: "stat -c %U:%G /var/lib/rancher/rke2/server/db/etcd" tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/rke2-cis-1.8/node.yaml b/cfg/rke2-cis-1.8/node.yaml index 3bf5d14a..db761d98 100644 --- a/cfg/rke2-cis-1.8/node.yaml +++ b/cfg/rke2-cis-1.8/node.yaml @@ -1,6 +1,6 @@ --- controls: -version: "cis-1.8" +version: "rke2-cis-1.8" id: 4 text: "Worker Node Security Configuration" type: "node" diff --git a/cfg/rke2-cis-1.8/policies.yaml b/cfg/rke2-cis-1.8/policies.yaml index 0e0fc474..4a85c96e 100644 --- a/cfg/rke2-cis-1.8/policies.yaml +++ b/cfg/rke2-cis-1.8/policies.yaml @@ -1,6 +1,6 @@ --- controls: -version: "cis-1.8" +version: "rke2-cis-1.8" id: 5 text: "Kubernetes Policies" type: "policies"