elastic · oren-zohar · Dec 1, 2021 · Nov 21, 2021 · Nov 30, 2021 · Nov 30, 2021
@@ -0,0 +1,32 @@
+package compliance.cis_k8s.rules.cis_2_1
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
+command_args := data_adapter.etcd_args
+
+default rule_evaluation = false
+
+rule_evaluation {
+	command_args["--cert-file"]
+	command_args["--key-file"]
+}
+
+finding = result {
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"command_args": command_args},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the --cert-file and --key-file arguments are set as appropriate",
+	"description": "Configure TLS encryption for the etcd service.",
+	"impact": "Client connections only over TLS would be served.",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 2.1", "etcd"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set  --cert-file=</path/to/ca-file> --key-file=</path/to/key-file>",
+}
@@ -0,0 +1,20 @@
+package compliance.cis_k8s.rules.cis_2_1
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("etcd", "")
+	test.assert_fail(finding) with input as rule_input("etcd", "--cert-file=</path/to/ca-file>")
+	test.assert_fail(finding) with input as rule_input("etcd", "--key-file=</path/to/key-file>")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("etcd", "--cert-file=</path/to/ca-file> --key-file=</path/to/key-file>")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("some_process", "")
+}
+
+rule_input(process_type, argument) = test_data.etcd_input(process_type, [argument])
@@ -0,0 +1,26 @@
+package compliance.cis_k8s.rules.cis_2_2
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the --client-cert-auth argument is set to true (Automated)
+finding = result {
+	command_args := data_adapter.etcd_args
+	rule_evaluation := common.contains_key_with_value(command_args, "--client-cert-auth", "true")
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"command_args": command_args},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the --client-cert-auth argument is set to true",
+	"description": "Enable client authentication on etcd service.",
+	"impact": "All clients attempting to access the etcd server will require a valid client certificate.",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 2.2", "etcd"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set to --client-cert-auth=true",
+}
@@ -0,0 +1,19 @@
+package compliance.cis_k8s.rules.cis_2_2
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("etcd", "")
+	test.assert_fail(finding) with input as rule_input("etcd", "--client-cert-auth=false")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("etcd", "--client-cert-auth=true")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("some_process", "")
+}
+
+rule_input(process_type, argument) = test_data.etcd_input(process_type, [argument])
@@ -0,0 +1,27 @@
+package compliance.cis_k8s.rules.cis_2_3
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the --auto-tls argument is not set to true (Automated)
+finding = result {
+	# Verify that if the --auto-tls argument exists, it is not set to true.
+	command_args := data_adapter.etcd_args
+	rule_evaluation := common.contains_key_with_value(command_args, "--auto-tls", "true") == false
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"command_args": command_args},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the --auto-tls argument is not set to true",
+	"description": "Do not use self-signed certificates for TLS.",
+	"impact": "Clients will not be able to use self-signed certificates for TLS.",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 2.3", "etcd"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false",
+}
@@ -0,0 +1,19 @@
+package compliance.cis_k8s.rules.cis_2_3
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("etcd", "--auto-tls=true")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("etcd", "")
+	test.assert_pass(finding) with input as rule_input("etcd", "--auto-tls=false")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("some_process", "")
+}
+
+rule_input(process_type, argument) = test_data.etcd_input(process_type, [argument])
@@ -0,0 +1,32 @@
+package compliance.cis_k8s.rules.cis_2_4
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
+command_args := data_adapter.etcd_args
+
+default rule_evaluation = false
+
+rule_evaluation {
+	command_args["--peer-cert-file"]
+	command_args["--peer-key-file"]
+}
+
+finding = result {
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"command_args": command_args},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate",
+	"description": "etcd should be configured to make use of TLS encryption for peer connections.",
+	"impact": "etcd cluster peers would need to set up TLS for their communication.",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 2.4", "etcd"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set --peer-cert-file=</path/to/peer-cert-file> --peer-key-file=</path/to/peer-key-file>",
+}
@@ -0,0 +1,20 @@
+package compliance.cis_k8s.rules.cis_2_4
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("etcd", [""])
+	test.assert_fail(finding) with input as rule_input("etcd", ["--peer-cert-file=</path/to/peer-cert-file>"])
+	test.assert_fail(finding) with input as rule_input("etcd", ["--peer-key-file=</path/to/peer-key-file>"])
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("etcd", ["--peer-cert-file=</path/to/peer-cert-file>", "--peer-key-file=</path/to/peer-key-file>"])
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("some_process", [""])
+}
+
+rule_input(process_type, argument) = test_data.etcd_input(process_type, argument)
@@ -0,0 +1,26 @@
+package compliance.cis_k8s.rules.cis_2_5
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the --peer-client-cert-auth argument is set to true (Automated)
+finding = result {
+	command_args := data_adapter.etcd_args
+	rule_evaluation := common.contains_key_with_value(command_args, "--peer-client-cert-auth", "true")
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"command_args": command_args},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the --peer-client-cert-auth argument is set to true",
+	"description": "etcd should be configured for peer authentication.",
+	"impact": "All peers attempting to communicate with the etcd server will require a valid client certificate for authentication.",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 2.5", "etcd"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set to --peer-client-cert-auth=true",
+}
@@ -0,0 +1,19 @@
+package compliance.cis_k8s.rules.cis_2_5
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("etcd", "")
+	test.assert_fail(finding) with input as rule_input("etcd", "--peer-client-cert-auth=false")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("etcd", "--peer-client-cert-auth=true")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("some_process", "")
+}
+
+rule_input(process_type, argument) = test_data.etcd_input(process_type, [argument])
@@ -0,0 +1,27 @@
+package compliance.cis_k8s.rules.cis_2_6
+
+import data.compliance.cis_k8s
+import data.compliance.lib.common
+import data.compliance.lib.data_adapter
+
+# Ensure that the --peer-auto-tls argument is not set to true (Automated)
+finding = result {
+	# Verify that if the --peer-auto-tls argument exists, it is not set to true
+	command_args := data_adapter.etcd_args
+	rule_evaluation := common.contains_key_with_value(command_args, "--peer-auto-tls", "true") == false
+
+	# set result
+	result := {
+		"evaluation": common.calculate_result(rule_evaluation),
+		"evidence": {"command_args": command_args},
+	}
+}
+
+metadata = {
+	"name": "Ensure that the --peer-auto-tls argument is not set to true",
+	"description": "Do not use automatically generated self-signed certificates for TLS connections between peers.",
+	"impact": "All peers attempting to communicate with the etcd server will require a valid client certificate for authentication.",
+	"tags": array.concat(cis_k8s.default_tags, ["CIS 2.6", "etcd"]),
+	"benchmark": cis_k8s.benchmark_name,
+	"remediation": "Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --peer-auto-tls parameter or set it to false.",
+}
@@ -0,0 +1,19 @@
+package compliance.cis_k8s.rules.cis_2_6
+
+import data.cis_k8s.test_data
+import data.lib.test
+
+test_violation {
+	test.assert_fail(finding) with input as rule_input("etcd", "--peer-auto-tls=true")
+}
+
+test_pass {
+	test.assert_pass(finding) with input as rule_input("etcd", "")
+	test.assert_pass(finding) with input as rule_input("etcd", "-peer-auto-tls=false")
+}
+
+test_not_evaluated {
+	not finding with input as rule_input("some_process", "")
+}
+
+rule_input(process_type, argument) = test_data.etcd_input(process_type, [argument])
@@ -15,3 +15,9 @@ api_server_input(process_type, arguments) = {
 	"type": process_type,
 	"command": concat(" ", array.concat(["kube-apiserver"], arguments)),
 }
+
+# Recivies an array of arguments representing the kube-controller-manager command
+etcd_input(process_type, arguments) = {
+	"type": process_type,
+	"command": concat(" ", array.concat(["etcd"], arguments)),
+}
@@ -54,3 +54,12 @@ api_server_command_args = args {
 	is_api_server_process
 	args = process_args(process_args_list)
 }
+
+is_etcd_process {
+	input.type == "etcd"
+}
+
+etcd_args = args {
+	is_etcd_process
+	args = process_args(process_args_list)
+}