From 3926ba3977822c2964881a48eb2dc465eb13652f Mon Sep 17 00:00:00 2001 From: Roberto Rojas Date: Thu, 11 Jul 2019 12:05:24 -0400 Subject: [PATCH] issue #337: Adds comment for properties detected thru parsing command line. Fixed Audit for test 2.1.8 (#354) --- cfg/1.11-json/node.yaml | 3 +++ cfg/1.13-json/node.yaml | 10 ++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/cfg/1.11-json/node.yaml b/cfg/1.11-json/node.yaml index f85687d..9f0b454 100644 --- a/cfg/1.11-json/node.yaml +++ b/cfg/1.11-json/node.yaml @@ -10,6 +10,9 @@ groups: checks: - id: 2.1.1 text: "Ensure that the --allow-privileged argument is set to false (Scored)" + # This is one of those properties that can only be set as a command line argument. + # To check if the property is set as expected, we need to parse the kubelet command + # instead reading the Kubelet Configuration file. audit: "ps -fC $kubeletbin" tests: test_items: diff --git a/cfg/1.13-json/node.yaml b/cfg/1.13-json/node.yaml index 7140943..a061dc4 100644 --- a/cfg/1.13-json/node.yaml +++ b/cfg/1.13-json/node.yaml @@ -160,7 +160,10 @@ groups: - id: 2.1.8 text: "Ensure that the --hostname-override argument is not set (Scored)" - audit: "cat $kubeletconf" + # This is one of those properties that can only be set as a command line argument. + # To check if the property is set as expected, we need to parse the kubelet command + # instead reading the Kubelet Configuration file. + audit: "ps -fC $kubeletbin" tests: test_items: - flag: "--hostname-override" @@ -221,7 +224,10 @@ groups: - id: 2.1.11 text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" - audit: "cat $kubeletconf" + # This is one of those properties that can only be set as a command line argument. + # To check if the property is set as expected, we need to parse the kubelet command + # instead reading the Kubelet Configuration file. + audit: "ps -fC $kubeletbin" tests: bin_op: or test_items: