diff --git a/cfg/ack-1.0/master.yaml b/cfg/ack-1.0/master.yaml index 3a0b185..e3c4d6c 100644 --- a/cfg/ack-1.0/master.yaml +++ b/cfg/ack-1.0/master.yaml @@ -680,12 +680,7 @@ groups: - id: 1.2.24 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--request-timeout" - set: false - - flag: "--request-timeout" + type: manual remediation: | Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index e911339..926cc32 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -766,13 +766,7 @@ groups: - id: 1.2.26 text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--request-timeout" - set: false - - flag: "--request-timeout" - set: true + type: manual remediation: | Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. diff --git a/cfg/cis-1.6/master.yaml b/cfg/cis-1.6/master.yaml index 9341d18..c354bd7 100644 --- a/cfg/cis-1.6/master.yaml +++ b/cfg/cis-1.6/master.yaml @@ -714,12 +714,7 @@ groups: - id: 1.2.26 text: "Ensure that the --request-timeout argument is set as appropriate (Automated)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--request-timeout" - set: false - - flag: "--request-timeout" + type: manual remediation: | Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. diff --git a/integration/testdata/cis-1.5/job-master.data b/integration/testdata/cis-1.5/job-master.data index cd939be..39fe5ac 100644 --- a/integration/testdata/cis-1.5/job-master.data +++ b/integration/testdata/cis-1.5/job-master.data @@ -47,7 +47,7 @@ [FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) [FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored) [FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored) -[PASS] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) +[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) [PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) [PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Scored) [PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) @@ -140,6 +140,11 @@ on the master node and set the --audit-log-maxsize parameter to an appropriate s For example, to set it as 100 MB: --audit-log-maxsize=100 +1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml +and set the below parameter as appropriate and if needed. +For example, +--request-timeout=300s + 1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= @@ -166,13 +171,13 @@ on the master node and set the below parameter. == Summary master == -45 checks PASS +44 checks PASS 10 checks FAIL -10 checks WARN +11 checks WARN 0 checks INFO == Summary total == -45 checks PASS +44 checks PASS 10 checks FAIL -10 checks WARN -0 checks INFO \ No newline at end of file +11 checks WARN +0 checks INFO diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data index 9c2e7a0..246839b 100644 --- a/integration/testdata/cis-1.5/job.data +++ b/integration/testdata/cis-1.5/job.data @@ -47,7 +47,7 @@ [FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) [FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored) [FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored) -[PASS] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) +[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) [PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) [PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Scored) [PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) @@ -140,6 +140,11 @@ on the master node and set the --audit-log-maxsize parameter to an appropriate s For example, to set it as 100 MB: --audit-log-maxsize=100 +1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml +and set the below parameter as appropriate and if needed. +For example, +--request-timeout=300s + 1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= @@ -166,9 +171,9 @@ on the master node and set the below parameter. == Summary master == -45 checks PASS +44 checks PASS 10 checks FAIL -10 checks WARN +11 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration @@ -410,7 +415,7 @@ resources and that all new resources are created in a specific namespace. 0 checks INFO == Summary total == -72 checks PASS +71 checks PASS 13 checks FAIL -37 checks WARN +38 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.6/job-master.data b/integration/testdata/cis-1.6/job-master.data index 4ff1637..01fd194 100644 --- a/integration/testdata/cis-1.6/job-master.data +++ b/integration/testdata/cis-1.6/job-master.data @@ -47,7 +47,7 @@ [FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) [FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) [FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) -[PASS] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) +[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) [PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated) [PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) [PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated) @@ -140,6 +140,11 @@ on the master node and set the --audit-log-maxsize parameter to an appropriate s For example, to set it as 100 MB: --audit-log-maxsize=100 +1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml +and set the below parameter as appropriate and if needed. +For example, +--request-timeout=300s + 1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= @@ -169,13 +174,13 @@ on the master node and set the below parameter. == Summary master == -45 checks PASS +44 checks PASS 10 checks FAIL -10 checks WARN +11 checks WARN 0 checks INFO == Summary total == -45 checks PASS +44 checks PASS 10 checks FAIL -10 checks WARN -0 checks INFO \ No newline at end of file +11 checks WARN +0 checks INFO diff --git a/integration/testdata/cis-1.6/job.data b/integration/testdata/cis-1.6/job.data index 54ec2b0..c8e90f4 100644 --- a/integration/testdata/cis-1.6/job.data +++ b/integration/testdata/cis-1.6/job.data @@ -47,7 +47,7 @@ [FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) [FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) [FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) -[PASS] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) +[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) [PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated) [PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) [PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated) @@ -140,6 +140,11 @@ on the master node and set the --audit-log-maxsize parameter to an appropriate s For example, to set it as 100 MB: --audit-log-maxsize=100 +1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml +and set the below parameter as appropriate and if needed. +For example, +--request-timeout=300s + 1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= @@ -169,9 +174,9 @@ on the master node and set the below parameter. == Summary master == -45 checks PASS +44 checks PASS 10 checks FAIL -10 checks WARN +11 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration @@ -413,7 +418,7 @@ resources and that all new resources are created in a specific namespace. 0 checks INFO == Summary total == -72 checks PASS +71 checks PASS 11 checks FAIL -39 checks WARN +40 checks WARN 0 checks INFO