From 4b4c1ce70972b92a9f843b1660045f589757ad79 Mon Sep 17 00:00:00 2001
From: Andy Pitcher <andy.pitcher@suse.com>
Date: Mon, 30 Sep 2024 00:30:59 -0400
Subject: [PATCH] Modify `1.2.3 Ensure that the DenyServiceExternalIPs is set`
 in CIS-1.7/1.8 (#1607)

* Modify 1.2.3 Ensure that the DenyServiceExternalIPs is set
 - op changed from `have` to `has` and removed bin_op: or
 - remediation description changed to only include --enable-admission-plugins

* Apply changes for CIS-1.9
---
 cfg/cis-1.7/master.yaml | 7 +++----
 cfg/cis-1.8/master.yaml | 7 +++----
 cfg/cis-1.9/master.yaml | 6 +++---
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/cfg/cis-1.7/master.yaml b/cfg/cis-1.7/master.yaml
index 1358242..283e89e 100644
--- a/cfg/cis-1.7/master.yaml
+++ b/cfg/cis-1.7/master.yaml
@@ -345,16 +345,15 @@ groups:
         text: "Ensure that the --DenyServiceExternalIPs is set (Manual)"
         audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
         tests:
-          bin_op: or
           test_items:
             - flag: "--enable-admission-plugins"
               compare:
-                op: have
+                op: has
                 value: "DenyServiceExternalIPs"
         remediation: |
           Edit the API server pod specification file $apiserverconf
-          on the control plane node and remove the `DenyServiceExternalIPs`
-          from enabled admission plugins.
+          on the control plane node and add the `DenyServiceExternalIPs` plugin
+          to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
         scored: false
 
       - id: 1.2.4
diff --git a/cfg/cis-1.8/master.yaml b/cfg/cis-1.8/master.yaml
index d0c1332..8d639da 100644
--- a/cfg/cis-1.8/master.yaml
+++ b/cfg/cis-1.8/master.yaml
@@ -345,16 +345,15 @@ groups:
         text: "Ensure that the --DenyServiceExternalIPs is set (Manual)"
         audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
         tests:
-          bin_op: or
           test_items:
             - flag: "--enable-admission-plugins"
               compare:
-                op: have
+                op: has
                 value: "DenyServiceExternalIPs"
         remediation: |
           Edit the API server pod specification file $apiserverconf
-          on the control plane node and remove the `DenyServiceExternalIPs`
-          from enabled admission plugins.
+          on the control plane node and add the `DenyServiceExternalIPs` plugin
+          to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
         scored: false
 
       - id: 1.2.4
diff --git a/cfg/cis-1.9/master.yaml b/cfg/cis-1.9/master.yaml
index 50edab1..51b9ab5 100644
--- a/cfg/cis-1.9/master.yaml
+++ b/cfg/cis-1.9/master.yaml
@@ -360,12 +360,12 @@ groups:
           test_items:
             - flag: "--enable-admission-plugins"
               compare:
-                op: have
+                op: has
                 value: "DenyServiceExternalIPs"
         remediation: |
           Edit the API server pod specification file $apiserverconf
-          on the control plane node and remove the `DenyServiceExternalIPs`
-          from enabled admission plugins.
+          on the control plane node and add the `DenyServiceExternalIPs` plugin
+          to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
         scored: false
 
       - id: 1.2.4