OCP4/CIS 2.X: Fix descriptions and add checks

applications/openshift/etcd/etcd_client_cert_auth/rule.yml

@@ -6,10 +6,11 @@ title: 'Enable The Client Certificate Authentication'
 
 description: |-
     To ensure the <tt>etcd</tt> service is serving TLS to clients,
-    edit the <tt>etcd</tt> configuration file
-    <tt>/etc/etcd/etcd.conf</tt> on the master node and set
-    <tt>ETCD_CLIENT_CERT_AUTH</tt> to <tt>true</tt>.
-    <pre>ETCD_CLIENT_CERT_AUTH=true</pre>
+    make sure the <tt>etcd-pod*</tt> <tt>ConfigMaps</tt> in the
+    <tt>openshift-etcd</tt> namespace contain the following argument
+    for the <tt>etcd</tt> binary in the <tt>etcd</tt> pod:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-client-cert-auth="</pre>
+    the parameter should be set to <tt>true</tt>.
 
 rationale: |-
     Without cryptographic integrity protections, information can be
@@ -26,6 +27,21 @@ references:
 ocil_clause: 'the etcd client certificate authentication is not configured'
 
 ocil: |-
-    Run the following command on the master node(s):
-    <pre>$ grep ETCD_CLIENT_CERT_AUTH</pre>
-    The output should return <tt>true</tt>.
+    Run the following command:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-client-cert-auth="</pre>
+    The parameter should be set to <tt>true</tt>.
+
+warnings:
+    - general: |-
+        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod") | indent(8) }}}
+
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
+        yamlpath: ".data['pod.yaml']"
+        values:
+          - value: ".*--client-cert-auth=true \\.*"
+            operation: "pattern match"

applications/openshift/etcd/etcd_client_cert_auth/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

applications/openshift/etcd/etcd_peer_auto_tls/rule.yml

@@ -6,10 +6,10 @@ title: 'Disable etcd Peer Self-Signed Certificates'
 
 description: |-
     To ensure the <tt>etcd</tt> service is not using self-signed
-    certificates, edit the <tt>etcd</tt> configuration file
-    <tt>/etc/etcd/etcd.conf</tt> from the master node and set
-    <tt>ETCD_PEER_AUTO_TLS</tt> to <tt>false</tt>:
-    <pre>ETCD_PEER_AUTO_TLS=false</pre>
+    certificates, run the following command:
+    <pre>$ oc get cm/etcd-pod -n openshift-etcd -o yaml</pre>
+    The etcd pod configuration contained in the configmap should not
+    contain the <tt>--peer-auto-tls=true</tt> flag.
 
 rationale: |-
     Without cryptographic integrity protections, information can be
@@ -30,5 +30,21 @@ ocil_clause: 'the etcd is using peer self-signed certificates'
 
 ocil: |-
     Run the following command on the master node(s):
-    <pre>$ grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf</pre>
-    The output should return <tt>false</tt>.
+    <pre>$ oc get cm/etcd-pod -n openshift-etcd -o yaml</pre>
+    The etcd pod configuration contained in the configmap should not
+    contain the <tt>--peer-auto-tls=true</tt> flag.
+
+warnings:
+    - general: |-
+        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod") | indent(8) }}}
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
+        entity_check: "none satisfy"
+        yamlpath: '.data["pod.yaml"]'
+        values:
+          - value: '.*peer-auto-tls[= ]true.*'
+            operation: "pattern match"

applications/openshift/etcd/etcd_peer_auto_tls/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

applications/openshift/etcd/etcd_peer_cert_file/rule.yml

@@ -5,11 +5,11 @@ prodtype: ocp4
 title: 'Ensure That The etcd Peer Client Certificate Is Correctly Set'
 
 description: |-
-    To ensure the <tt>etcd</tt> service is serving TLS to clients,
-    edit the <tt>etcd</tt> configuration file
-    <tt>/etc/etcd/etcd.conf</tt> on the master and adding a certificate
-    to <tt>ETCD_PEER_CERT_FILE</tt>:
-    <pre>ETCD_PEER_CERT_FILE=/etc/ssl/etcd/system:etcd-peer:<i>etcd_dns_name</i>.crt</pre>
+    To ensure the <tt>etcd</tt> service is serving TLS to peers,
+    make sure the <tt>etcd-pod*</tt> <tt>ConfigMaps</tt> in the
+    <tt>openshift-etcd</tt> namespace contain the following argument
+    for the <tt>etcd</tt> binary in the <tt>etcd</tt> pod:
+    <pre>--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt</pre>
 
 rationale: |-
     Without cryptographic integrity protections, information can be
@@ -23,9 +23,23 @@ severity: medium
 references:
     cis: '2.4'
 
-ocil_clause: 'the etcd client certificate is not configured'
+ocil_clause: 'the etcd peer client certificate is not configured'
 
 ocil: |-
-    Run the following command on the master node(s):
-    <pre>$ grep ETCD_PEER_CERT_FILE=/etc/etcd/etcd.conf</pre>
+    Run the following command:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt"</pre>
     Verify that there is a certificate configured.
+
+warnings:
+    - general: |-
+        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod") | indent(8) }}}
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
+        yamlpath: ".data['pod.yaml']"
+        values:
+          - value: ".*--peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.crt \\.*"
+            operation: "pattern match"

applications/openshift/etcd/etcd_peer_cert_file/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

applications/openshift/etcd/etcd_peer_client_cert_auth/rule.yml

@@ -6,10 +6,11 @@ title: 'Enable The Peer Client Certificate Authentication'
 
 description: |-
     To ensure the <tt>etcd</tt> service is serving TLS to clients,
-    edit the <tt>etcd</tt> configuration file
-    <tt>/etc/etcd/etcd.conf</tt> on the master node and set
-    <tt>ETCD_PEER_CLIENT_CERT_AUTH</tt> to <tt>true</tt>.
-    <pre>ETCD_PEER_CLIENT_CERT_AUTH=true</pre>
+    make sure the <tt>etcd-pod*</tt> <tt>ConfigMaps</tt> in the
+    <tt>openshift-etcd</tt> namespace contain the following argument
+    for the <tt>etcd</tt> binary in the <tt>etcd</tt> pod:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-peer-client-cert-auth="</pre>
+    the parameter should be set to <tt>true</tt>.
 
 rationale: |-
     Without cryptographic integrity protections, information can be
@@ -26,6 +27,21 @@ references:
 ocil_clause: 'the etcd peer client certificate authentication is not configured'
 
 ocil: |-
-    Run the following command on the master node(s):
-    <pre>$ grep ETCD_PEER_CLIENT_CERT_AUTH</pre>
-    The output should return <tt>true</tt>.
+    Run the following command:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-peer-client-cert-auth="</pre>
+    The parameter should be set to <tt>true</tt>.
+
+warnings:
+    - general: |-
+        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod") | indent(8) }}}
+
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
+        yamlpath: ".data['pod.yaml']"
+        values:
+          - value: ".*--peer-client-cert-auth=true \\.*"
+            operation: "pattern match"

applications/openshift/etcd/etcd_peer_client_cert_auth/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

applications/openshift/etcd/etcd_peer_key_file/rule.yml

@@ -5,11 +5,11 @@ prodtype: ocp4
 title: 'Ensure That The etcd Peer Key File Is Correctly Set'
 
 description: |-
-    To ensure the <tt>etcd</tt> service is serving TLS to clients,
-    edit the <tt>etcd</tt> configuration file
-    <tt>/etc/etcd/etcd.conf</tt> on the master on the master and
-    adding a key file to <tt>ETCD_PEER_KEY_FILE</tt>:
-    <pre>ETCD_PEER_KEY_FILE=/etc/ssl/etcd/system:etcd-peer:<i>etcd_dns_name</i>.key</pre>
+    To ensure the <tt>etcd</tt> service is serving TLS to peers,
+    make sure the <tt>etcd-pod*</tt> <tt>ConfigMaps</tt> in the
+    <tt>openshift-etcd</tt> namespace contain the following argument
+    for the <tt>etcd</tt> binary in the <tt>etcd</tt> pod:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key"</pre>
 
 rationale: |-
     Without cryptographic integrity protections, information can be
@@ -23,9 +23,23 @@ severity: medium
 references:
     cis: '2.4'
 
-ocil_clause: 'the etcd client key file is not configured'
+ocil_clause: 'the etcd peer client key file is not configured'
 
 ocil: |-
-    Run the following command on the master node(s):
-    <pre>$ grep ETCD_PEER_KEY_FILE=/etc/etcd/etcd.conf</pre>
-    Verify that there is a key file configured.
+    Run the following command:
+    <pre>oc get -nopenshift-etcd cm etcd-pod -oyaml | grep "\-\-peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key"</pre>
+    Verify that there is a certificate configured.
+
+warnings:
+    - general: |-
+        {{{ openshift_cluster_setting("/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod") | indent(8) }}}
+
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
+        yamlpath: ".data['pod.yaml']"
+        values:
+          - value: ".*--peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-peer/etcd-peer-NODE_NAME.key \\.*"
+            operation: "pattern match"

applications/openshift/etcd/etcd_peer_key_file/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS