From 0c553cd2f62129aefdca11591d1086275d2e3c49 Mon Sep 17 00:00:00 2001 From: Huang Huang Date: Sun, 3 Dec 2023 15:06:35 +0800 Subject: [PATCH] fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528) * fix wrong use of flag in test_items found in 4.13 and 4.14 Fixes #1491 * fix for more benchmarks * update integration test * fix test --- cfg/ack-1.0/node.yaml | 4 ---- cfg/cis-1.20/node.yaml | 4 ---- cfg/cis-1.23/node.yaml | 4 ---- cfg/cis-1.24-microk8s/node.yaml | 4 ---- cfg/cis-1.24/node.yaml | 4 ---- cfg/cis-1.5/node.yaml | 4 ---- cfg/cis-1.7/node.yaml | 4 ---- cfg/cis-1.8/node.yaml | 4 ---- cfg/k3s-cis-1.23/node.yaml | 4 ---- cfg/rke-cis-1.23/node.yaml | 4 ---- cfg/rke2-cis-1.23/node.yaml | 4 ---- integration/testdata/Expected_output.data | 19 +++++++++++++------ 12 files changed, 13 insertions(+), 50 deletions(-) diff --git a/cfg/ack-1.0/node.yaml b/cfg/ack-1.0/node.yaml index 19a0817..961dbcd 100644 --- a/cfg/ack-1.0/node.yaml +++ b/cfg/ack-1.0/node.yaml @@ -45,8 +45,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -60,8 +58,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.20/node.yaml b/cfg/cis-1.20/node.yaml index 2bb9499..72524ae 100644 --- a/cfg/cis-1.20/node.yaml +++ b/cfg/cis-1.20/node.yaml @@ -46,8 +46,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -61,8 +59,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.23/node.yaml b/cfg/cis-1.23/node.yaml index 7f93b33..3105d37 100644 --- a/cfg/cis-1.23/node.yaml +++ b/cfg/cis-1.23/node.yaml @@ -45,8 +45,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -60,8 +58,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.24-microk8s/node.yaml b/cfg/cis-1.24-microk8s/node.yaml index 7b9278a..55dc5c6 100644 --- a/cfg/cis-1.24-microk8s/node.yaml +++ b/cfg/cis-1.24-microk8s/node.yaml @@ -45,8 +45,6 @@ groups: compare: op: bitmask value: "600" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -60,8 +58,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.24/node.yaml b/cfg/cis-1.24/node.yaml index 6ee5dbc..f85d7ce 100644 --- a/cfg/cis-1.24/node.yaml +++ b/cfg/cis-1.24/node.yaml @@ -45,8 +45,6 @@ groups: compare: op: bitmask value: "600" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -60,8 +58,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 1349054..fe47d64 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -48,8 +48,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -64,8 +62,6 @@ groups: test_items: - flag: root:root set: true - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.7/node.yaml b/cfg/cis-1.7/node.yaml index d4eabc9..e109d41 100644 --- a/cfg/cis-1.7/node.yaml +++ b/cfg/cis-1.7/node.yaml @@ -45,8 +45,6 @@ groups: compare: op: bitmask value: "600" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -60,8 +58,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/cis-1.8/node.yaml b/cfg/cis-1.8/node.yaml index d51cb69..04f4270 100644 --- a/cfg/cis-1.8/node.yaml +++ b/cfg/cis-1.8/node.yaml @@ -45,8 +45,6 @@ groups: compare: op: bitmask value: "600" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -60,8 +58,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/k3s-cis-1.23/node.yaml b/cfg/k3s-cis-1.23/node.yaml index 211cdbc..80f0c5a 100644 --- a/cfg/k3s-cis-1.23/node.yaml +++ b/cfg/k3s-cis-1.23/node.yaml @@ -47,8 +47,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -62,8 +60,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/rke-cis-1.23/node.yaml b/cfg/rke-cis-1.23/node.yaml index 12d3679..3fac4fa 100644 --- a/cfg/rke-cis-1.23/node.yaml +++ b/cfg/rke-cis-1.23/node.yaml @@ -46,8 +46,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -61,8 +59,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/cfg/rke2-cis-1.23/node.yaml b/cfg/rke2-cis-1.23/node.yaml index c05fb39..596208a 100644 --- a/cfg/rke2-cis-1.23/node.yaml +++ b/cfg/rke2-cis-1.23/node.yaml @@ -48,8 +48,6 @@ groups: compare: op: bitmask value: "644" - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -63,8 +61,6 @@ groups: bin_op: or test_items: - flag: root:root - - flag: "$proxykubeconfig" - set: false remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root $proxykubeconfig diff --git a/integration/testdata/Expected_output.data b/integration/testdata/Expected_output.data index 0df5ce0..d0cfe93 100644 --- a/integration/testdata/Expected_output.data +++ b/integration/testdata/Expected_output.data @@ -221,8 +221,8 @@ minimum. [INFO] 4.1 Worker Node Configuration Files [PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated) [PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated) -[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual) -[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual) +[WARN] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual) +[WARN] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual) [PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated) [PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated) [PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual) @@ -245,6 +245,13 @@ minimum. [WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual) == Remediations node == +4.1.3 Run the below command (based on the file location on your system) on the each worker node. +For example, +chmod 644 /etc/kubernetes/proxy.conf + +4.1.4 Run the below command (based on the file location on your system) on the each worker node. +For example, chown root:root /etc/kubernetes/proxy.conf + 4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and @@ -287,9 +294,9 @@ systemctl restart kubelet.service == Summary node == -19 checks PASS +17 checks PASS 1 checks FAIL -3 checks WARN +5 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies @@ -419,8 +426,8 @@ resources and that all new resources are created in a specific namespace. 0 checks INFO == Summary total == -69 checks PASS +67 checks PASS 11 checks FAIL -43 checks WARN +45 checks WARN 0 checks INFO