From d8528a1ec830c3fc34cd2e5d771cd5c1ca086498 Mon Sep 17 00:00:00 2001
From: zilard <zilard.cherry@gmail.com>
Date: Wed, 10 Jul 2019 11:43:15 +0200
Subject: [PATCH] issue #234: implement test 2.2.8 (#343)
* implement test 2.2.8
* Nit: correct indentation
The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it
---
cfg/1.11-json/node.yaml | 10 ++++++++--
cfg/1.11/node.yaml | 10 ++++++++--
cfg/1.13/node.yaml | 10 ++++++++--
cfg/1.8/node.yaml | 12 +++++++++---
cfg/config.yaml | 3 +++
cmd/common.go | 2 ++
cmd/util.go | 29 +++++++++++++++++++++++++++++
7 files changed, 67 insertions(+), 9 deletions(-)
diff --git a/cfg/1.11-json/node.yaml b/cfg/1.11-json/node.yaml
index 9dfc65c..f85687d 100644
--- a/cfg/1.11-json/node.yaml
+++ b/cfg/1.11-json/node.yaml
@@ -462,8 +462,14 @@ groups:
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
- audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
- type: manual
+ audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml
index 0a9ba8e..01faf1e 100644
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@@ -453,8 +453,14 @@ groups:
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
- audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
- type: manual
+ audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml
index 1469899..865c96e 100644
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@@ -434,8 +434,14 @@ groups:
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
- audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
- type: manual
+ audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml
index 05edbfe..7740d72 100644
--- a/cfg/1.8/node.yaml
+++ b/cfg/1.8/node.yaml
@@ -430,9 +430,15 @@ groups:
scored: true
- id: 2.2.8
- text: "Ensure that the client certificate authorities file ownership is set to root:root"
- audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
- type: manual
+ text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
diff --git a/cfg/config.yaml b/cfg/config.yaml
index 340b905..a538f84 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -81,6 +81,8 @@ node:
defaultconf: /etc/kubernetes/config
kubelet:
+ cafile:
+ - "/etc/kubernetes/pki/ca.crt"
bins:
- "hyperkube kubelet"
- "kubelet"
@@ -91,6 +93,7 @@ node:
defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
+ defaultcafile: "/etc/kubernetes/pki/ca.crt"
proxy:
bins:
diff --git a/cmd/common.go b/cmd/common.go
index 9297ea7..41e5cd7 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -85,6 +85,7 @@ func runChecks(nodetype check.NodeType) {
confmap := getConfigFiles(typeConf)
svcmap := getServiceFiles(typeConf)
kubeconfmap := getKubeConfigFiles(typeConf)
+ cafilemap := getCaFile(typeConf)
// Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in)
@@ -92,6 +93,7 @@ func runChecks(nodetype check.NodeType) {
s = makeSubstitutions(s, "conf", confmap)
s = makeSubstitutions(s, "svc", svcmap)
s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
+ s = makeSubstitutions(s, "cafile", cafilemap)
controls, err := check.NewControls(nodetype, []byte(s))
if err != nil {
diff --git a/cmd/util.go b/cmd/util.go
index f2a34f3..28490d9 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -258,6 +258,35 @@ func getKubeConfigFiles(v *viper.Viper) map[string]string {
return kubeconfigmap
}
+// getCaFile finds which of the set of client certificate authorities files exist
+func getCaFile(v *viper.Viper) map[string]string {
+ cafilemap := make(map[string]string)
+
+ for _, component := range v.GetStringSlice("components") {
+ s := v.Sub(component)
+ if s == nil {
+ continue
+ }
+
+ cafile := findConfigFile(s.GetStringSlice("cafile"))
+ if cafile == "" {
+ if s.IsSet("defaultcafile") {
+ cafile = s.GetString("defaultcafile")
+ glog.V(2).Info(fmt.Sprintf("Using default client CA file name '%s' for component %s", cafile, component))
+ } else {
+ glog.V(2).Info(fmt.Sprintf("Missing client CA file for %s", component))
+ cafile = component
+ }
+ } else {
+ glog.V(2).Info(fmt.Sprintf("Component %s uses client CA file '%s'", component, cafile))
+ }
+
+ cafilemap[component] = cafile
+ }
+
+ return cafilemap
+}
+
// verifyBin checks that the binary specified is running
func verifyBin(bin string) bool {
--
GitLab