From 2751f870348e067306caed2017513ea42a03a961 Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Thu, 26 Sep 2024 00:45:48 -0400 Subject: [PATCH] Fix audit and remediation for CIS-1.9 master 1.1.13/1.1.14 (#1649) * Fix audit and remediation for CIS-1.9 master 1.1.13/1.1.14 * Fix loop syntax for file paths --------- Co-authored-by: afdesk --- cfg/cis-1.9/master.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cfg/cis-1.9/master.yaml b/cfg/cis-1.9/master.yaml index ad1423e..50edab1 100644 --- a/cfg/cis-1.9/master.yaml +++ b/cfg/cis-1.9/master.yaml @@ -189,7 +189,7 @@ groups: - id: 1.1.13 text: "Ensure that the default administrative credential file permissions are set to 600 (Automated)" audit: | - for adminconf in /etc/kubernetes/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \"permissions=%a %n\" $adminconf; fi; done + for adminconf in /etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf; do if test -e $adminconf; then stat -c "permissions=%a %n" $adminconf; fi; done use_multiple_values: true tests: test_items: @@ -207,7 +207,7 @@ groups: - id: 1.1.14 text: "Ensure that the default administrative credential file ownership is set to root:root (Automated)" audit: | - for adminconf in /tmp/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done + for adminconf in /etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done use_multiple_values: true tests: test_items: @@ -219,7 +219,7 @@ groups: Run the below command (based on the file location on your system) on the control plane node. For example, chown root:root /etc/kubernetes/admin.conf On Kubernetes 1.29+ the super-admin.conf file should also be modified, if present. - For example, chmod 600 /etc/kubernetes/super-admin.conf + For example, chown root:root /etc/kubernetes/super-admin.conf scored: true - id: 1.1.15