diff --git a/cfg/master.yaml b/cfg/master.yaml index 7005f95..f54bf6a 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -599,12 +599,23 @@ groups: # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $apiserverconf" scored: true @@ -627,12 +638,23 @@ groups: text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $config" scored: true @@ -655,12 +677,23 @@ groups: text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $schedulerconf" scored: true @@ -683,12 +716,23 @@ groups: text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $etcdconf" scored: true @@ -711,12 +755,23 @@ groups: text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $flanneldconf" scored: true diff --git a/cfg/node.yaml b/cfg/node.yaml index 0b5b90b..dfff376 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -223,8 +223,22 @@ groups: text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $config" @@ -248,12 +262,23 @@ groups: text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: 644 set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $kubeletconf" scored: true @@ -273,8 +298,22 @@ groups: text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $proxyconf" @@ -296,8 +335,22 @@ groups: 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the following command to modify the file permissions of the --client-ca-file \nchmod 644 "