From 13fe1cdfb8799922bc9d69b8223f8284e617f4ec Mon Sep 17 00:00:00 2001 From: Roberto Rojas Date: Fri, 1 Nov 2019 09:10:52 -0400 Subject: [PATCH] Fixes issue #501: specifying absolute path for both ps and cat (#508) * fixes issue #501 * specify abolute path for ps and cat --- cfg/1.11/master.yaml | 112 +++++++++++++++++++++---------------------- cfg/1.11/node.yaml | 58 +++++++++++----------- cfg/1.13/master.yaml | 112 +++++++++++++++++++++---------------------- cfg/1.13/node.yaml | 52 ++++++++++---------- cmd/util.go | 2 +- 5 files changed, 168 insertions(+), 168 deletions(-) diff --git a/cfg/1.11/master.yaml b/cfg/1.11/master.yaml index 02ebd47..bb0cd28 100644 --- a/cfg/1.11/master.yaml +++ b/cfg/1.11/master.yaml @@ -10,7 +10,7 @@ groups: checks: - id: 1.1.1 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--anonymous-auth" @@ -26,7 +26,7 @@ groups: - id: 1.1.2 text: "Ensure that the --basic-auth-file argument is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--basic-auth-file" @@ -40,7 +40,7 @@ groups: - id: 1.1.3 text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-allow-any-token" @@ -53,7 +53,7 @@ groups: - id: 1.1.4 text: "Ensure that the --kubelet-https argument is set to true (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -71,7 +71,7 @@ groups: - id: 1.1.5 text: "Ensure that the --insecure-bind-address argument is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-bind-address" @@ -84,7 +84,7 @@ groups: - id: 1.1.6 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-port" @@ -100,7 +100,7 @@ groups: - id: 1.1.7 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -119,7 +119,7 @@ groups: - id: 1.1.8 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -135,7 +135,7 @@ groups: - id: 1.1.9 text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--repair-malformed-updates" @@ -151,7 +151,7 @@ groups: - id: 1.1.10 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -170,7 +170,7 @@ groups: - id: 1.1.11 text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -187,7 +187,7 @@ groups: - id: 1.1.12 text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -204,7 +204,7 @@ groups: - id: 1.1.13 text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -221,7 +221,7 @@ groups: - id: 1.1.14 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -241,7 +241,7 @@ groups: - id: 1.1.15 text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-path" @@ -255,7 +255,7 @@ groups: - id: 1.1.16 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxage" @@ -271,7 +271,7 @@ groups: - id: 1.1.17 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxbackup" @@ -288,7 +288,7 @@ groups: - id: 1.1.18 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxsize" @@ -305,7 +305,7 @@ groups: - id: 1.1.19 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -322,7 +322,7 @@ groups: - id: 1.1.20 text: "Ensure that the --token-auth-file parameter is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--token-auth-file" @@ -336,7 +336,7 @@ groups: - id: 1.1.21 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--kubelet-certificate-authority" @@ -351,7 +351,7 @@ groups: - id: 1.1.22 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -370,7 +370,7 @@ groups: - id: 1.1.23 text: "Ensure that the --service-account-lookup argument is set to true (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-lookup" @@ -386,7 +386,7 @@ groups: - id: 1.1.24 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -405,7 +405,7 @@ groups: - id: 1.1.25 text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-key-file" @@ -420,7 +420,7 @@ groups: - id: 1.1.26 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -439,7 +439,7 @@ groups: - id: 1.1.27 text: "Ensure that the admission control plugin ServiceAccount is set(Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -461,7 +461,7 @@ groups: - id: 1.1.28 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -480,7 +480,7 @@ groups: - id: 1.1.29 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--client-ca-file" @@ -494,7 +494,7 @@ groups: - id: 1.1.30 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--tls-cipher-suites" @@ -510,7 +510,7 @@ groups: - id: 1.1.31 text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--etcd-cafile" @@ -525,7 +525,7 @@ groups: - id: 1.1.32 text: "Ensure that the --authorization-mode argument is set to Node (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -542,7 +542,7 @@ groups: - id: 1.1.33 text: "Ensure that the admission control plugin NodeRestriction is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -561,7 +561,7 @@ groups: - id: 1.1.34 text: "Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--experimental-encryption-provider-config" @@ -576,7 +576,7 @@ groups: - id: 1.1.35 text: "Ensure that the encryption provider is set to aescbc (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | [Manual test] @@ -597,7 +597,7 @@ groups: - id: 1.1.36 text: "Ensure that the admission control plugin EventRateLimit is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -615,7 +615,7 @@ groups: - id: 1.1.37a text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -635,7 +635,7 @@ groups: - id: 1.1.37b text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-policy-file" @@ -652,7 +652,7 @@ groups: - id: 1.1.38 text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -668,7 +668,7 @@ groups: - id: 1.1.39 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers ( Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--tls-cipher-suites" @@ -687,7 +687,7 @@ groups: checks: - id: 1.2.1 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $schedulerbin | grep -v grep" + audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -703,7 +703,7 @@ groups: - id: 1.2.2 text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" - audit: "ps -ef | grep $schedulerbin | grep -v grep" + audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: bin_op: or test_items: @@ -725,7 +725,7 @@ groups: checks: - id: 1.3.1 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--terminated-pod-gc-threshold" @@ -738,7 +738,7 @@ groups: - id: 1.3.2 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -754,7 +754,7 @@ groups: - id: 1.3.3 text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--use-service-account-credentials" @@ -770,7 +770,7 @@ groups: - id: 1.3.4 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--service-account-private-key-file" @@ -784,7 +784,7 @@ groups: - id: 1.3.5 text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--root-ca-file" @@ -798,7 +798,7 @@ groups: - id: 1.3.6 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--feature-gates" @@ -815,7 +815,7 @@ groups: - id: 1.3.7 text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: bin_op: or test_items: @@ -1205,7 +1205,7 @@ groups: checks: - id: 1.5.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--cert-file" @@ -1222,7 +1222,7 @@ groups: - id: 1.5.2 text: "Ensure that the --client-cert-auth argument is set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--client-cert-auth" @@ -1238,7 +1238,7 @@ groups: - id: 1.5.3 text: "Ensure that the --auto-tls argument is not set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or test_items: @@ -1257,7 +1257,7 @@ groups: - id: 1.5.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: and test_items: @@ -1275,7 +1275,7 @@ groups: - id: 1.5.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--peer-client-cert-auth" @@ -1291,7 +1291,7 @@ groups: - id: 1.5.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or test_items: @@ -1310,7 +1310,7 @@ groups: - id: 1.5.7 text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" type: "manual" tests: test_items: diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml index 12b7e3b..e8e0d9f 100644 --- a/cfg/1.11/node.yaml +++ b/cfg/1.11/node.yaml @@ -10,7 +10,7 @@ groups: checks: - id: 2.1.1 text: Ensure that the --allow-privileged argument is set to false (Scored) - audit: "ps -fC $kubeletbin " + audit: "/bin/ps -fC $kubeletbin " tests: test_items: - flag: --allow-privileged @@ -29,8 +29,8 @@ groups: - id: 2.1.2 text: Ensure that the --anonymous-auth argument is set to false (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --anonymous-auth @@ -53,8 +53,8 @@ groups: - id: 2.1.3 text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --authorization-mode @@ -76,8 +76,8 @@ groups: - id: 2.1.4 text: Ensure that the --client-ca-file argument is set as appropriate (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --client-ca-file @@ -97,8 +97,8 @@ groups: - id: 2.1.5 text: Ensure that the --read-only-port argument is set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --read-only-port @@ -120,8 +120,8 @@ groups: - id: 2.1.6 text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --streaming-connection-idle-timeout @@ -148,8 +148,8 @@ groups: - id: 2.1.7 text: Ensure that the --protect-kernel-defaults argument is set to true (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --protect-kernel-defaults @@ -171,8 +171,8 @@ groups: - id: 2.1.8 text: Ensure that the --make-iptables-util-chains argument is set to true (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --make-iptables-util-chains @@ -198,8 +198,8 @@ groups: - id: 2.1.9 text: Ensure that the --hostname-override argument is not set (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --hostname-override @@ -216,8 +216,8 @@ groups: - id: 2.1.10 text: Ensure that the --event-qps argument is set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --event-qps @@ -239,8 +239,8 @@ groups: - id: 2.1.11 text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --tls-cert-file @@ -266,8 +266,8 @@ groups: - id: 2.1.12 text: Ensure that the --cadvisor-port argument is set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --cadvisor-port @@ -291,8 +291,8 @@ groups: - id: 2.1.13 text: Ensure that the --rotate-certificates argument is not set to false (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --rotate-certificates @@ -316,8 +316,8 @@ groups: - id: 2.1.14 text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: RotateKubeletServerCertificate @@ -337,8 +337,8 @@ groups: - id: 2.1.15 text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --tls-cipher-suites diff --git a/cfg/1.13/master.yaml b/cfg/1.13/master.yaml index 57fc20d..c10ead7 100644 --- a/cfg/1.13/master.yaml +++ b/cfg/1.13/master.yaml @@ -10,7 +10,7 @@ groups: checks: - id: 1.1.1 text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--anonymous-auth" @@ -26,7 +26,7 @@ groups: - id: 1.1.2 text: "Ensure that the --basic-auth-file argument is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--basic-auth-file" @@ -40,7 +40,7 @@ groups: - id: 1.1.3 text: "Ensure that the --insecure-allow-any-token argument is not set (Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-allow-any-token" @@ -53,7 +53,7 @@ groups: - id: 1.1.4 text: "Ensure that the --kubelet-https argument is set to true (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -71,7 +71,7 @@ groups: - id: 1.1.5 text: "Ensure that the --insecure-bind-address argument is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-bind-address" @@ -84,7 +84,7 @@ groups: - id: 1.1.6 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-port" @@ -100,7 +100,7 @@ groups: - id: 1.1.7 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -119,7 +119,7 @@ groups: - id: 1.1.8 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -135,7 +135,7 @@ groups: - id: 1.1.9 text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--repair-malformed-updates" @@ -151,7 +151,7 @@ groups: - id: 1.1.10 text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -170,7 +170,7 @@ groups: - id: 1.1.11 text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -187,7 +187,7 @@ groups: - id: 1.1.12 text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" type: "skip" tests: test_items: @@ -205,7 +205,7 @@ groups: - id: 1.1.13 text: "Ensure that the admission control plugin SecurityContextDeny is set (Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -222,7 +222,7 @@ groups: - id: 1.1.14 text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -242,7 +242,7 @@ groups: - id: 1.1.15 text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-path" @@ -256,7 +256,7 @@ groups: - id: 1.1.16 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxage" @@ -272,7 +272,7 @@ groups: - id: 1.1.17 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxbackup" @@ -289,7 +289,7 @@ groups: - id: 1.1.18 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxsize" @@ -306,7 +306,7 @@ groups: - id: 1.1.19 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -323,7 +323,7 @@ groups: - id: 1.1.20 text: "Ensure that the --token-auth-file parameter is not set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--token-auth-file" @@ -337,7 +337,7 @@ groups: - id: 1.1.21 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--kubelet-certificate-authority" @@ -352,7 +352,7 @@ groups: - id: 1.1.22 text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -371,7 +371,7 @@ groups: - id: 1.1.23 text: "Ensure that the --service-account-lookup argument is set to true (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -390,7 +390,7 @@ groups: - id: 1.1.24 text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -409,7 +409,7 @@ groups: - id: 1.1.25 text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-key-file" @@ -424,7 +424,7 @@ groups: - id: 1.1.26 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -443,7 +443,7 @@ groups: - id: 1.1.27 text: "Ensure that the admission control plugin ServiceAccount is set(Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -465,7 +465,7 @@ groups: - id: 1.1.28 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -484,7 +484,7 @@ groups: - id: 1.1.29 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--client-ca-file" @@ -498,7 +498,7 @@ groups: - id: 1.1.30 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--tls-cipher-suites" @@ -514,7 +514,7 @@ groups: - id: 1.1.31 text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--etcd-cafile" @@ -529,7 +529,7 @@ groups: - id: 1.1.32 text: "Ensure that the --authorization-mode argument is set to Node (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -546,7 +546,7 @@ groups: - id: 1.1.33 text: "Ensure that the admission control plugin NodeRestriction is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -564,7 +564,7 @@ groups: - id: 1.1.34 text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" type: "manual" tests: test_items: @@ -581,7 +581,7 @@ groups: - id: 1.1.35 text: "Ensure that the encryption provider is set to aescbc (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | [Manual test] @@ -602,7 +602,7 @@ groups: - id: 1.1.36 text: "Ensure that the admission control plugin EventRateLimit is set (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--enable-admission-plugins" @@ -620,7 +620,7 @@ groups: - id: 1.1.37a text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -640,7 +640,7 @@ groups: - id: 1.1.37b text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-policy-file" @@ -657,7 +657,7 @@ groups: - id: 1.1.38 text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -673,7 +673,7 @@ groups: - id: 1.1.39 text: "Ensure that the --authorization-mode argument includes RBAC (Scored)" - audit: "ps -ef | grep $apiserverbin | grep -v grep" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -690,7 +690,7 @@ groups: checks: - id: 1.2.1 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $schedulerbin | grep -v grep" + audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -706,7 +706,7 @@ groups: - id: 1.2.2 text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" - audit: "ps -ef | grep $schedulerbin | grep -v grep" + audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" tests: bin_op: or test_items: @@ -728,7 +728,7 @@ groups: checks: - id: 1.3.1 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--terminated-pod-gc-threshold" @@ -741,7 +741,7 @@ groups: - id: 1.3.2 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -757,7 +757,7 @@ groups: - id: 1.3.3 text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--use-service-account-credentials" @@ -773,7 +773,7 @@ groups: - id: 1.3.4 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--service-account-private-key-file" @@ -787,7 +787,7 @@ groups: - id: 1.3.5 text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--root-ca-file" @@ -801,7 +801,7 @@ groups: - id: 1.3.6 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--feature-gates" @@ -818,7 +818,7 @@ groups: - id: 1.3.7 text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" - audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: bin_op: or test_items: @@ -1270,7 +1270,7 @@ groups: checks: - id: 1.5.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--cert-file" @@ -1287,7 +1287,7 @@ groups: - id: 1.5.2 text: "Ensure that the --client-cert-auth argument is set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--client-cert-auth" @@ -1303,7 +1303,7 @@ groups: - id: 1.5.3 text: "Ensure that the --auto-tls argument is not set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or test_items: @@ -1322,7 +1322,7 @@ groups: - id: 1.5.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: and test_items: @@ -1340,7 +1340,7 @@ groups: - id: 1.5.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--peer-client-cert-auth" @@ -1356,7 +1356,7 @@ groups: - id: 1.5.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or test_items: @@ -1375,7 +1375,7 @@ groups: - id: 1.5.7 text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep" + audit: "/bin/ps -ef | grep $etcdbin | grep -v grep" type: "manual" tests: test_items: diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml index e0c7355..ae581a4 100644 --- a/cfg/1.13/node.yaml +++ b/cfg/1.13/node.yaml @@ -10,8 +10,8 @@ groups: checks: - id: 2.1.1 text: Ensure that the --anonymous-auth argument is set to false (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: "--anonymous-auth" @@ -34,8 +34,8 @@ groups: - id: 2.1.2 text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --authorization-mode @@ -57,8 +57,8 @@ groups: - id: 2.1.3 text: Ensure that the --client-ca-file argument is set as appropriate (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --client-ca-file @@ -78,8 +78,8 @@ groups: - id: 2.1.4 text: Ensure that the --read-only-port argument is set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: "--read-only-port" @@ -101,8 +101,8 @@ groups: - id: 2.1.5 text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --streaming-connection-idle-timeout @@ -129,8 +129,8 @@ groups: - id: 2.1.6 text: Ensure that the --protect-kernel-defaults argument is set to true (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --protect-kernel-defaults @@ -152,8 +152,8 @@ groups: - id: 2.1.7 text: Ensure that the --make-iptables-util-chains argument is set to true (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --make-iptables-util-chains @@ -182,7 +182,7 @@ groups: # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. - audit: "ps -fC $kubeletbin " + audit: "/bin/ps -fC $kubeletbin " tests: test_items: - flag: --hostname-override @@ -198,8 +198,8 @@ groups: - id: 2.1.9 text: Ensure that the --event-qps argument is set to 0 (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --event-qps @@ -221,8 +221,8 @@ groups: - id: 2.1.10 text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --tls-cert-file @@ -251,7 +251,7 @@ groups: # This is one of those properties that can only be set as a command line argument. # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. - audit: "ps -fC $kubeletbin " + audit: "/bin/ps -fC $kubeletbin " type: skip tests: test_items: @@ -274,8 +274,8 @@ groups: - id: 2.1.12 text: Ensure that the --rotate-certificates argument is not set to false (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --rotate-certificates @@ -299,8 +299,8 @@ groups: - id: 2.1.13 text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: RotateKubeletServerCertificate @@ -320,8 +320,8 @@ groups: - id: 2.1.14 text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) - audit: "ps -fC $kubeletbin" - audit_config: "cat $kubeletconf" + audit: "/bin/ps -fC $kubeletbin" + audit_config: "/bin/cat $kubeletconf" tests: test_items: - flag: --tls-cipher-suites diff --git a/cmd/util.go b/cmd/util.go index 2a49b10..184c479 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -78,7 +78,7 @@ func cleanIDs(list string) map[string]bool { func ps(proc string) string { // TODO: truncate proc to 15 chars // See https://github.com/aquasecurity/kube-bench/issues/328#issuecomment-506813344 - cmd := exec.Command("ps", "-C", proc, "-o", "cmd", "--no-headers") + cmd := exec.Command("/bin/ps", "-C", proc, "-o", "cmd", "--no-headers") out, err := cmd.Output() if err != nil { continueWithError(fmt.Errorf("%s: %s", cmd.Args, err), "")