arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-05-10 19:08:52 +00:00
Code Issues Releases Wiki Activity

Try to search the right ca file of kubelet (#633)

Browse Source
This commit is contained in:
Huang Huang 2020-07-08 15:22:49 +08:00 committed by GitHub
parent 1b5b6c2afe
commit 3e6a41af04
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cfg/cis-1.3/node.yaml
View File

@ -456,7 +456,12 @@ groups:
- id: 2.2.8 - id: 2.2.8
text: Ensure that the client certificate authorities file ownership is set to root:root (Scored) text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
if [[ -z $CAFILE ]]; then
CAFILE=$kubeletcafile
fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root

7
cfg/cis-1.4/node.yaml
View File

@ -447,7 +447,12 @@ groups:
- id: 2.2.8 - id: 2.2.8
text: Ensure that the client certificate authorities file ownership is set to root:root (Scored) text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
if [[ -z $CAFILE ]]; then
CAFILE=$kubeletcafile
fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root

7
cfg/cis-1.5/node.yaml
View File

@ -107,7 +107,12 @@ groups:
- id: 4.1.8 - id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' ' audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
if [[ -z $CAFILE ]]; then
CAFILE=$kubeletcafile
fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root