arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Rancher checks correction (#1563)

Browse Source 
1. Have modified test criteria such that it produces right output in case of there is no file exists.
2. Have modified the tests wherever root:root is checked multiple times.
pull/1570/head
Kiran Bodipi 3 months ago committed by GitHub
parent faeceb5dfa
commit 2374e7b07f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 6 additions and 30 deletions
Show Stats Download Patch File Download Diff File

3
cfg/k3s-cis-1.23/node.yaml
Unescape View File

@ -149,9 +149,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/k3s-cis-1.24/node.yaml
Unescape View File

@ -118,9 +118,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/k3s-cis-1.7/node.yaml
Unescape View File

@ -114,9 +114,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/rke-cis-1.23/node.yaml
Unescape View File

@ -111,9 +111,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

12
cfg/rke-cis-1.24/node.yaml
Unescape View File

@ -94,27 +94,27 @@ groups:
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"
audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem"
audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
- flag: "File not found"
remediation: |
Run the following command to modify the file permissions of the
--client-ca-file chmod 600 <filename>
scored: true
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem"
audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
bin_op: or
test_items:
- flag: root:root
compare:
op: eq
value: root:root
- flag: "File not found"
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/rke-cis-1.7/node.yaml
Unescape View File

@ -116,9 +116,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/rke2-cis-1.23/node.yaml
Unescape View File

@ -119,9 +119,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/rke2-cis-1.24/node.yaml
Unescape View File

@ -119,9 +119,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

3
cfg/rke2-cis-1.7/node.yaml
Unescape View File

@ -120,9 +120,6 @@ groups:
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>

Write Preview
Loading…
Cancel
Save