Update ETCD XCCDF and OVAL for ocp4-isms

- Add runtime checks
- Update ETCD XCCDF and OVAL for ocp4-isms

applications/openshift/etcd/etcd_auto_tls/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>Ensure OpenShift is not using Self-Signed Certificates</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="self-signed certs are disabled" test_ref="test_etcd_auto_tls" negate="true" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_auto_tls" />
     </criteria>
   </definition>
 
@@ -27,4 +28,5 @@
     <ind:subexpression datatype="string" operation="pattern match">^true$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--auto-tls", value="false", option_id="auto_tls") }}}
 </def-group>

applications/openshift/etcd/etcd_cert_file/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>ETCD_CERT_FILE is correctly set</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion test_ref="test_etcd_cert_file" comment="Check ETCD_CERT_FILE in /etc/etcd/etcd.conf" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_cert_file" />
     </criteria>
   </definition>
 
@@ -27,7 +28,13 @@
 
   <ind:textfilecontent54_state id="state_etcd_cert_file"
   version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/server.crt$</ind:subexpression>
+    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/server.crt|/etc/ssl/etcd/system\:etcd-server-\:.*\.crt$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+{{%- if product == "ocp4" %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--cert-file", value="/etc/ssl/etcd/system\:etcd-server\:.*\.crt", option_id="cert_file") }}}
+{{% else %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--cert-file", value="/etc/etcd/server.crt", option_id="cert_file") }}}
+{{%- endif %}}
+
 </def-group>

applications/openshift/etcd/etcd_cert_file/rule.yml

@@ -9,7 +9,11 @@ description: |-
     edit the <tt>etcd</tt> configuration file
     <tt>/etc/etcd/etcd.conf</tt> on the master and adding a certificate
     to <tt>ETCD_CERT_FILE</tt>:
+{{%- if product == "ocp4" %}}
+    <pre>ETCD_CERT_FILE=/etc/ssl/etcd/system:etcd-server:<i>etcd_dns_name</i>.crt</pre>
+{{% else %}}
     <pre>ETCD_CERT_FILE=/etc/etcd/server.crt</pre>
+{{%- endif %}}
 
 rationale: |-
     Without cryptographic integrity protections, information can be
@@ -27,5 +31,6 @@ ocil_clause: 'the etcd client certificate is not configured'
 
 ocil: |-
     Run the following command on the master node(s):
+
     <pre>$ grep ETCD_CERT_FILE=/etc/etcd/etcd.conf</pre>
     Verify that there is a certificate configured.

applications/openshift/etcd/etcd_client_cert_auth/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>Ensure OpenShift has enabled Client Certificate Authentication</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="ETCD_CLIENT_CERT_AUTH is enabled" test_ref="test_etcd_client_cert_auth" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_client_cert_auth" />
     </criteria>
   </definition>
 
@@ -27,4 +28,5 @@
     <ind:subexpression datatype="string" operation="pattern match">^true$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--client-cert-auth", value="true", option_id="client_cert_auth") }}}
 </def-group>

applications/openshift/etcd/etcd_key_file/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>ETCD_KEY_FILE is correctly set</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion test_ref="test_etcd_key_file" comment="Check ETCD_KEY_FILE in /etc/etcd/etcd.conf" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_key_file" />
     </criteria>
   </definition>
 
@@ -27,7 +28,13 @@
 
   <ind:textfilecontent54_state id="state_etcd_key_file"
   version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/server.key$</ind:subexpression>
+    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/server.key|/etc/ssl/etcd/system\:etcd-.*\:.*\.key$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+{{%- if product == "ocp4" %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--key-file", value="/etc/ssl/etcd/system\:etcd-server\:.*\.key", option_id="key_file") }}}
+{{% else %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--key-file", value="/etc/etcd/server.key", option_id="key_file") }}}
+{{%- endif %}}
+
 </def-group>

applications/openshift/etcd/etcd_key_file/rule.yml

@@ -7,19 +7,23 @@ title: 'Ensure That The etcd Key File Is Correctly Set'
 description: |-
     To ensure the <tt>etcd</tt> service is serving TLS to clients,
     edit the <tt>etcd</tt> configuration file
-    <tt>/etc/etcd/etcd.conf</tt> on the master on the master and
+    <tt>/etc/etcd/etcd.conf</tt> on the master and
     adding a key file to <tt>ETCD_KEY_FILE</tt>:
-    <pre>ETCD_KEY_FILE=/etc/etcd/server.key</pre>
+{{%- if product == "ocp4" %}}
+    <pre>ETCD_CERT_FILE=/etc/ssl/etcd/system:etcd-server:<i>etcd_dns_name</i>.key</pre>
+{{% else %}}
+    <pre>ETCD_CERT_FILE=/etc/etcd/server.key</pre>
+{{%- endif %}}
 
 rationale: |-
     Without cryptographic integrity protections, information can be
     altered by unauthorized users without detection.
 
+severity: medium
+
 identifiers:
     cce@ocp3: 80578-8
 
-severity: medium
-
 references:
     cis: '2.1'
 

applications/openshift/etcd/etcd_peer_auto_tls/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>Ensure OpenShift is not using Peer Self-Signed Certificates</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="self-signed certs are disabled" test_ref="test_etcd_peer_auto_tls" negate="true" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_peer_auto_tls" />
     </criteria>
   </definition>
 
@@ -27,4 +28,5 @@
     <ind:subexpression datatype="string" operation="pattern match">^true$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--peer-auto-tls", value="false", option_id="peer_auto_tls") }}}
 </def-group>

applications/openshift/etcd/etcd_peer_cert_file/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>ETCD_PEER_CERT_FILE is correctly set</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion test_ref="test_etcd_peer_cert_file" comment="Check ETCD_PEER_CERT_FILE in /etc/etcd/etcd.conf" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_peer_cert_file" />
     </criteria>
   </definition>
 
@@ -27,7 +28,13 @@
 
   <ind:textfilecontent54_state id="state_etcd_peer_cert_file"
   version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/peer.crt$</ind:subexpression>
+    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/peer.crt|/etc/ssl/etcd/system\:etcd-peer\:.*\.crt$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+{{%- if product == "ocp4" %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--peer-cert-file", value="/etc/ssl/etcd/system\:etcd-peer\:.*\.crt", option_id="peer_cert_file") }}}
+{{% else %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--peer-cert-file", value="/etc/etcd/peer.crt", option_id="peer_cert_file") }}}
+{{%- endif %}}
+
 </def-group>

applications/openshift/etcd/etcd_peer_cert_file/rule.yml

@@ -9,7 +9,11 @@ description: |-
     edit the <tt>etcd</tt> configuration file
     <tt>/etc/etcd/etcd.conf</tt> on the master and adding a certificate
     to <tt>ETCD_PEER_CERT_FILE</tt>:
+{{%- if product == "ocp4" %}}
+    <pre>ETCD_PEER_CERT_FILE=/etc/ssl/etcd/system:etcd-peer:<i>etcd_dns_name</i>.crt</pre>
+{{% else %}}
     <pre>ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt</pre>
+{{%- endif %}}
 
 rationale: |-
     Without cryptographic integrity protections, information can be

applications/openshift/etcd/etcd_peer_client_cert_auth/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>Ensure OpenShift has enabled Peer Client Certificate Authentication</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="ETCD_PEER_CLIENT_CERT_AUTH is enabled" test_ref="test_etcd_peer_client_cert_auth" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_peer_client_cert_auth" />
     </criteria>
   </definition>
 
@@ -27,4 +28,5 @@
     <ind:subexpression datatype="string" operation="pattern match">^true$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--peer-client-cert-auth", value="true", option_id="peer_client_cert_auth") }}}
 </def-group>

applications/openshift/etcd/etcd_peer_key_file/oval/shared.xml

@@ -7,8 +7,9 @@
       </affected>
       <description>ETCD_PEER_KEY_FILE is correctly set</description>
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion test_ref="test_etcd_peer_key_file" comment="Check ETCD_PEER_KEY_FILE in /etc/etcd/etcd.conf" />
+      <criterion comment="Runtime configuration is correct" test_ref="test_ocp_runtime_peer_key_file" />
     </criteria>
   </definition>
 
@@ -27,7 +28,13 @@
 
   <ind:textfilecontent54_state id="state_etcd_peer_key_file"
   version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/peer.key$</ind:subexpression>
+    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/peer.key|/etc/ssl/etcd/system\:etcd-peer\:.*\.key$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+{{%- if product == "ocp4" %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--peer-key-file", value="/etc/ssl/etcd/system\:etcd-peer\:.*\.key", option_id="peer_key_file") }}}
+{{% else %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--peer-key-file", value="/etc/etcd/peer.key", option_id="peer_key_file") }}}
+{{%- endif %}}
+
 </def-group>

applications/openshift/etcd/etcd_peer_key_file/rule.yml

@@ -9,7 +9,11 @@ description: |-
     edit the <tt>etcd</tt> configuration file
     <tt>/etc/etcd/etcd.conf</tt> on the master on the master and
     adding a key file to <tt>ETCD_PEER_KEY_FILE</tt>:
+{{%- if product == "ocp4" %}}
+    <pre>ETCD_PEER_KEY_FILE=/etc/ssl/etcd/system:etcd-peer:<i>etcd_dns_name</i>.key</pre>
+{{% else %}}
     <pre>ETCD_PEER_KEY_FILE=/etc/etcd/peer.key</pre>
+{{%- endif %}}
 
 rationale: |-
     Without cryptographic integrity protections, information can be

applications/openshift/etcd/etcd_unique_ca/oval/shared.xml

@@ -24,7 +24,13 @@
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_state id="state_etcd_unique_ca" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^/etc/etcd/ca.crt$</ind:subexpression>
+    <ind:subexpression datatype="string" operation="pattern match">^/etc(|/ssl)/etcd/ca.crt$</ind:subexpression>
   </ind:textfilecontent54_state>
 
+{{%- if product == "ocp4" %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--trusted-ca-file", value="/etc/ssl/etcd/ca.crt", option_id="trusted_ca_file") }}}
+{{% else %}}
+  {{{ oval_ocp_service_runtime_config(command="etcd", option="--trusted-ca-file", value="/etc/etcd/ca.crt", option_id="trusted_ca_file") }}}
+{{%- endif %}}
+
 </def-group>

applications/openshift/etcd/etcd_unique_ca/rule.yml

@@ -10,7 +10,11 @@ description: |-
     , set <tt>ETCD_TRUSTED_CA_FILE</tt> to <tt>/etc/etcd/ca.crt</tt>
     in <tt>/etc/etcd/etcd.conf</tt> on the master node that does NOT match
     the OpenShift CA certificate:
+{{%- if product == "ocp4" %}}
+    <pre>ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.crt</pre>
+{{% else %}}
     <pre>ETCD_TRUSTED_CA_FILE=/etc/etcd/ca.crt</pre>
+{{%- endif %}}
 
 rationale: |-
     A unique CA certificate that is utilized by etcd and is different from