feat(etcd): add checks for Kubernetes etcd

prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "etcd_client_cert_auth",
+  "CheckTitle": "Ensure that the --client-cert-auth argument is set to true for etcd",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "etcd",
+  "SubServiceName": "Client Certificate Authentication",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EtcdService",
+  "Description": "This check ensures that client authentication is enabled for the etcd service, which is a key-value store used by Kubernetes for persistent storage of all REST API objects. Enabling client authentication helps in securing access to etcd.",
+  "Risk": "If --client-cert-auth is not set to true, etcd service may be accessible by unauthenticated clients, posing a significant security risk.",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "Remediation": {
+    "Code": {
+      "CLI": "Edit the etcd pod specification file to set --client-cert-auth to true. Example: --client-cert-auth=\"true\".",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Enable client certificate authentication for the etcd service for improved security.",
+      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+    }
+  },
+  "Categories": [
+    "Data Security",
+    "Access Control"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Ensure that all clients communicating with etcd have valid certificates."
+}

prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.py

@@ -0,0 +1,25 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.etcd.etcd_client import etcd_client
+
+
+class etcd_client_cert_auth(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in etcd_client.etcd_pods:
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = (
+                f"Etcd has client certificate authentication enabled in pod {pod.name}."
+            )
+            for container in pod.containers.values():
+                if "--client-cert-auth" not in str(
+                    container.command
+                ) and "--client-cert-auth=true" not in str(container.command):
+                    report.status = "FAIL"
+                    report.status_extended = f"Etcd does not have client certificate authentication enabled in pod {pod.name}."
+                    break
+            findings.append(report)
+        return findings

prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "etcd_no_auto_tls",
+  "CheckTitle": "Ensure that the --auto-tls argument is not set to true for etcd",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "etcd",
+  "SubServiceName": "TLS Configuration",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EtcdService",
+  "Description": "This check ensures that etcd does not use self-signed certificates for TLS, which are less secure than certificates from a trusted authority. Avoiding self-signed certificates enhances the security of etcd.",
+  "Risk": "Using --auto-tls=true may result in the use of self-signed certificates, reducing the overall security of the etcd service.",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "Remediation": {
+    "Code": {
+      "CLI": "Edit the etcd pod specification file to set --auto-tls to false or remove the parameter. Example: --auto-tls=false.",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure etcd is not using self-signed certificates for TLS.",
+      "Url": "https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/"
+    }
+  },
+  "Categories": [
+    "Data Security",
+    "Network Security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Self-signed certificates should be replaced with certificates from a trusted certificate authority."
+}

prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.py

@@ -0,0 +1,23 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.etcd.etcd_client import etcd_client
+
+
+class etcd_no_auto_tls(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in etcd_client.etcd_pods:
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = f"Etcd is not configured to use self-signed certificates for TLS in pod {pod.name}."
+            for container in pod.containers.values():
+                if "--auto-tls" in str(container.command) or "--auto-tls=true" in str(
+                    container.command
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Etcd is configured to use self-signed certificates for TLS in pod {pod.name}."
+                    break
+            findings.append(report)
+        return findings

prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "etcd_no_peer_auto_tls",
+  "CheckTitle": "Ensure that the --peer-auto-tls argument is not set to true for etcd",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "etcd",
+  "SubServiceName": "Peer TLS Configuration",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EtcdService",
+  "Description": "This check ensures that etcd is not configured to use automatically generated self-signed certificates for TLS connections between peers. Using self-signed certificates for peer authentication is discouraged in a production environment.",
+  "Risk": "Using self-signed certificates can lead to insecure communications between etcd peers, compromising data security.",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "Remediation": {
+    "Code": {
+      "CLI": "Configure etcd to avoid using self-signed certificates for peer connections by editing the etcd pod specification file with the --peer-auto-tls parameter set to false. Example: --peer-auto-tls=false.",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure etcd is not using automatically generated self-signed certificates for peer TLS connections.",
+      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
+    }
+  },
+  "Categories": [
+    "Data Security",
+    "Network Security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check is applicable only for etcd clusters. For single etcd server setups, this recommendation does not apply."
+}

prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.py

@@ -0,0 +1,23 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.etcd.etcd_client import etcd_client
+
+
+class etcd_no_peer_auto_tls(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in etcd_client.etcd_pods:
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = f"Etcd is not using automatically generated self-signed certificates for peer TLS connections in pod {pod.name}."
+            for container in pod.containers.values():
+                if "--peer-auto-tls" in str(
+                    container.command
+                ) or "--peer-auto-tls=true" in str(container.command):
+                    report.status = "FAIL"
+                    report.status_extended = f"Etcd is using automatically generated self-signed certificates for TLS connections in pod {pod.name}."
+                    break
+            findings.append(report)
+        return findings

prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "etcd_peer_client_cert_auth",
+  "CheckTitle": "Ensure that the --peer-client-cert-auth argument is set to true for etcd",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "etcd",
+  "SubServiceName": "Peer Client Certificate Authentication",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EtcdService",
+  "Description": "This check ensures that etcd is configured for peer authentication by verifying that the --peer-client-cert-auth argument is set to true. This configuration is crucial to ensure that etcd peers in the cluster are authenticated and secure.",
+  "Risk": "Failing to configure peer client authentication can lead to unauthorized access to the etcd cluster, compromising sensitive data.",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "Remediation": {
+    "Code": {
+      "CLI": "Configure peer client certificate authentication by editing the etcd pod specification file with the --peer-client-cert-auth parameter set to true. Example: --peer-client-cert-auth=true.",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure etcd is configured for peer client certificate authentication.",
+      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+    }
+  },
+  "Categories": [
+    "Data Security",
+    "Network Security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check is applicable only for etcd clusters. For single etcd server setups, this recommendation does not apply."
+}

prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.py

@@ -0,0 +1,23 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.etcd.etcd_client import etcd_client
+
+
+class etcd_peer_client_cert_auth(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in etcd_client.etcd_pods:
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = f"Etcd is configured for peer client certificate authentication in pod {pod.name}."
+            for container in pod.containers.values():
+                if "--peer-client-cert-auth" not in str(
+                    container.command
+                ) and "--peer-client-cert-auth=true" not in str(container.command):
+                    report.status = "FAIL"
+                    report.status_extended = f"Etcd does not have peer client certificate authentication configured in pod {pod.name}."
+                    break
+            findings.append(report)
+        return findings

prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "etcd_peer_tls_config",
+  "CheckTitle": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate for etcd",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "etcd",
+  "SubServiceName": "Peer TLS Configuration",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EtcdService",
+  "Description": "This check ensures that etcd is configured to use TLS encryption for peer connections, which is crucial for securing sensitive data stored in etcd. It verifies the presence of peer certificate and key file arguments in etcd configuration.",
+  "Risk": "Not configuring TLS for peer connections in etcd can lead to potential data breaches and unauthorized access.",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "Remediation": {
+    "Code": {
+      "CLI": "Configure peer TLS encryption by editing the etcd pod specification file with appropriate certificate and key files. Example: --peer-client-file=</path/to/peer-cert-file> --peer-key-file=</path/to/peer-key-file>.",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Secure etcd peer connections with TLS encryption.",
+      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#securing-communication"
+    }
+  },
+  "Categories": [
+    "Data Security",
+    "Network Security"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check is only applicable for etcd clusters. For single etcd server setups, this recommendation does not apply."
+}

prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.py

@@ -0,0 +1,25 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.etcd.etcd_client import etcd_client
+
+
+class etcd_peer_tls_config(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        for pod in etcd_client.etcd_pods:
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "PASS"
+            report.status_extended = (
+                f"Etcd is configured with TLS for peer connections in pod {pod.name}."
+            )
+            for container in pod.containers.values():
+                if "--peer-cert-file" not in str(
+                    container.command
+                ) and "--peer-key-file" not in str(container.command):
+                    report.status = "FAIL"
+                    report.status_extended = f"Etcd does not have TLS configured for peer connections in pod {pod.name}."
+                    break
+            findings.append(report)
+        return findings

prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json

@@ -13,7 +13,7 @@
   "ResourceType": "Etcd",
   "Description": "This check verifies that the etcd service in a Kubernetes cluster is configured with appropriate TLS encryption settings. etcd, being a key value store for all Kubernetes REST API objects, should have its communication encrypted to protect these sensitive objects in transit.",
   "Risk": "Without proper TLS configuration, data stored in etcd can be susceptible to interception and unauthorized access, posing a significant security risk to the entire Kubernetes cluster.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
   "Remediation": {
     "Code": {
       "CLI": "Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the --cert-file and --key-file arguments appropriately.",

prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json

@@ -0,0 +1,36 @@
+{
+  "Provider": "kubernetes",
+  "CheckID": "etcd_unique_ca",
+  "CheckTitle": "Ensure that a unique Certificate Authority is used for etcd",
+  "CheckType": [
+    "Security",
+    "Configuration"
+  ],
+  "ServiceName": "etcd",
+  "SubServiceName": "Certificate Authority Configuration",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EtcdService",
+  "Description": "This check ensures that etcd uses a unique Certificate Authority (CA) separate from the one used for the overall Kubernetes cluster. This practice enhances the security by restricting access to the etcd database only to clients and peers with certificates issued by the dedicated etcd CA.",
+  "Risk": "Using the same CA for etcd and the Kubernetes cluster can expose etcd to unauthorized access if any certificate issued by the Kubernetes CA is compromised.",
+  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "Remediation": {
+    "Code": {
+      "CLI": "Configure etcd to use a unique CA by setting the --trusted-ca-file parameter in the etcd pod specification to point to the dedicated etcd CA file. Example: --trusted-ca-file=</path/to/etcd-ca-file>.",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Ensure etcd uses a unique CA separate from the Kubernetes cluster CA.",
+      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+    }
+  },
+  "Categories": [
+    "Data Security",
+    "Configuration Management"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "This check is particularly important in environments where strict access control to the etcd database is required."
+}

prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.py

@@ -0,0 +1,34 @@
+from prowler.lib.check.models import Check, Check_Report_Kubernetes
+from prowler.providers.kubernetes.services.apiserver.apiserver_client import (
+    apiserver_client,
+)
+from prowler.providers.kubernetes.services.etcd.etcd_client import etcd_client
+
+
+class etcd_unique_ca(Check):
+    def execute(self) -> Check_Report_Kubernetes:
+        findings = []
+        # Get first the CA Files of the apiserver pods
+        apiserver_ca_files = []
+        for pod in apiserver_client.apiserver_pods:
+            for container in pod.containers.values():
+                for command in container.command:
+                    if command.startswith("--client-ca-file"):
+                        apiserver_ca_files.append(command.split("=")[1])
+        for pod in etcd_client.etcd_pods:
+            etcd_ca_files = []
+            report = Check_Report_Kubernetes(self.metadata())
+            report.namespace = pod.namespace
+            report.resource_name = pod.name
+            report.resource_id = pod.uid
+            report.status = "MANUAL"
+            report.status_extended = f"Etcd uses a different CA file from the Kubernetes cluster CA in pod {pod.name}, but verify if the content is the same."
+            for container in pod.containers.values():
+                for command in container.command:
+                    if command.startswith("--trusted-ca-file"):
+                        etcd_ca_files.append(command.split("=")[1])
+            if any(ca in etcd_ca_files for ca in apiserver_ca_files):
+                report.status = "FAIL"
+                report.status_extended = f"Etcd does not use a unique CA file, which could compromise its security in pod {pod.name}."
+            findings.append(report)
+        return findings