Modify 1.2.3 Ensure that the DenyServiceExternalIPs is set in CIS-1.7/1.8 (#1607)

* Modify 1.2.3 Ensure that the DenyServiceExternalIPs is set - op changed from `have` to `has` and removed bin_op: or - remediation description changed to only include --enable-admission-plugins * Apply changes for CIS-1.9
2024-12-19 13:18:07 +00:00 · 2024-09-30 00:30:59 -04:00 · 2024-09-30 00:30:59 -04:00 · 4b4c1ce709
commit 4b4c1ce709
parent b85ec78a84
3 changed files with 9 additions and 11 deletions
--- a/cfg/cis-1.7/master.yaml
+++ b/cfg/cis-1.7/master.yaml
@ -345,16 +345,15 @@ groups:
        text: "Ensure that the --DenyServiceExternalIPs is set (Manual)"
        audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
        tests:
-          bin_op: or
          test_items:
            - flag: "--enable-admission-plugins"
              compare:
-                op: have
+                op: has
                value: "DenyServiceExternalIPs"
        remediation: |
          Edit the API server pod specification file $apiserverconf
-          on the control plane node and remove the `DenyServiceExternalIPs`
-          from enabled admission plugins.
+          on the control plane node and add the `DenyServiceExternalIPs` plugin
+          to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
        scored: false

      - id: 1.2.4
--- a/cfg/cis-1.8/master.yaml
+++ b/cfg/cis-1.8/master.yaml
@ -345,16 +345,15 @@ groups:
        text: "Ensure that the --DenyServiceExternalIPs is set (Manual)"
        audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
        tests:
-          bin_op: or
          test_items:
            - flag: "--enable-admission-plugins"
              compare:
-                op: have
+                op: has
                value: "DenyServiceExternalIPs"
        remediation: |
          Edit the API server pod specification file $apiserverconf
-          on the control plane node and remove the `DenyServiceExternalIPs`
-          from enabled admission plugins.
+          on the control plane node and add the `DenyServiceExternalIPs` plugin
+          to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
        scored: false

      - id: 1.2.4
--- a/cfg/cis-1.9/master.yaml
+++ b/cfg/cis-1.9/master.yaml
@ -360,12 +360,12 @@ groups:
          test_items:
            - flag: "--enable-admission-plugins"
              compare:
-                op: have
+                op: has
                value: "DenyServiceExternalIPs"
        remediation: |
          Edit the API server pod specification file $apiserverconf
-          on the control plane node and remove the `DenyServiceExternalIPs`
-          from enabled admission plugins.
+          on the control plane node and add the `DenyServiceExternalIPs` plugin
+          to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
        scored: false

      - id: 1.2.4