From d2fa9d35b6cfd6dd0919ab7fac397e449e811bbb Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Sat, 12 Aug 2017 12:29:21 +0000 Subject: [PATCH 1/5] Rewrite audit commands in the check definition that contain shell builtins and modify text to command function to support this. Shell builtins fail the binary command lookup test which result in a WARN. Audit commands which include shell builtins must use the form: "/bin/sh -c 'sh-builtin arg'" So they are executed properly. Additionally Go will fail to execute commands involving shell builtins if they are not in the above format. --- cfg/master.yaml | 54 ++++++++++++++++++++++++++++++++++++++++--------- cfg/node.yaml | 24 +++++++++++++--------- check/check.go | 52 +++++++++++++++++++++++++++++++++++++++++------ check/test.go | 15 +++++++++++--- 4 files changed, 116 insertions(+), 29 deletions(-) diff --git a/cfg/master.yaml b/cfg/master.yaml index 46aeb36..6f2cc33 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -595,10 +595,14 @@ groups: checks: - id: 1.4.1 text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $apiserverconf; then stat -c %a $apiserverconf; fi" + # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: test_items: - flag: "644" + compare: + op: eq + value: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $apiserverconf" @@ -606,10 +610,13 @@ groups: - id: 1.4.2 text: "Ensure that the apiserver file ownership is set to root:root (Scored)" - audit: "if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chown root:root $apiserverconf" @@ -617,10 +624,13 @@ groups: - id: 1.4.3 text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $config; then stat -c %a $config; fi" + audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: test_items: - flag: "644" + compare: + op: eq + value: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $config" @@ -628,10 +638,13 @@ groups: - id: 1.4.4 text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "if test -e $config; then stat -c %U:%G $config; fi" + audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chown root:root $config" @@ -639,10 +652,13 @@ groups: - id: 1.4.5 text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $schedulerconf; then stat -c %a $schedulerconf; fi" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: test_items: - flag: "644" + compare: + op: eq + value: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $schedulerconf" @@ -650,10 +666,13 @@ groups: - id: 1.4.6 text: "Ensure that the scheduler file ownership is set to root:root (Scored)" - audit: "if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chown root:root $schedulerconf" @@ -661,10 +680,13 @@ groups: - id: 1.4.7 text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $etcdconf; then stat -c %a $etcdconf; fi" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: test_items: - flag: "644" + compare: + op: eq + value: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $etcdconf" @@ -672,10 +694,13 @@ groups: - id: 1.4.8 text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" - audit: "if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chown root:root $etcdconf" @@ -683,10 +708,13 @@ groups: - id: 1.4.9 text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $flanneldconf; then stat -c %a $flanneldconf; fi" + audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" tests: test_items: - flag: "644" + compare: + op: eq + value: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $flanneldconf" @@ -694,10 +722,13 @@ groups: - id: 1.4.10 text: "Ensure that the flanneld file ownership is set to root:root (Scored)" - audit: "if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi" + audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chown root:root $flanneldconf" @@ -709,6 +740,9 @@ groups: tests: test_items: - flag: "700" + compare: + op: eq + value: "700" set: true remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , from the below command:\n diff --git a/cfg/node.yaml b/cfg/node.yaml index 94e48f7..0b5b90b 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -221,7 +221,7 @@ groups: checks: - id: 2.2.1 text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $config; then stat -c %a $config; fi" + audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: test_items: - flag: "644" @@ -232,10 +232,13 @@ groups: - id: 2.2.2 text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "if test -e $config; then stat -c %U:%G $config; fi" + audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: root:root set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chown root:root $config" @@ -243,10 +246,13 @@ groups: - id: 2.2.3 text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $kubeletconf; then stat -c %a $kubeletconf; fi" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: test_items: - flag: "644" + compare: + op: eq + value: 644 set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $kubeletconf" @@ -254,7 +260,7 @@ groups: - id: 2.2.4 text: "Ensure that the kubelet file ownership is set to root:root (Scored)" - audit: "if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: - flag: "root:root" @@ -265,7 +271,7 @@ groups: - id: 2.2.5 text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $proxyconf; then stat -c %a $proxyconf; fi" + audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: test_items: - flag: "644" @@ -276,7 +282,7 @@ groups: - id: 2.2.6 text: "Ensure that the proxy file ownership is set to root:root (Scored)" - audit: "if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi" + audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" tests: test_items: - flag: "root:root" @@ -285,11 +291,10 @@ groups: \nFor example, chown root:root $proxyconf" scored: true -# TODO: provide flag to WARN about manual checks. - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $ca-file; then stat -c %a $ca-file; fi" + audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" tests: test_items: - flag: "644" @@ -298,10 +303,9 @@ groups: \nchmod 644 " scored: true -# TODO: provide flag to WARN about manual checks. - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root" - audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi" + audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" tests: test_items: - flag: "notexist:notexist" diff --git a/check/check.go b/check/check.go index e73c58f..86f3939 100644 --- a/check/check.go +++ b/check/check.go @@ -20,6 +20,7 @@ import ( "io" "os" "os/exec" + "regexp" "strings" ) @@ -75,8 +76,7 @@ func (c *Check) Run(verbose bool) { // Check if command exists or exit with WARN. for _, cmd := range c.Commands { - _, err := exec.LookPath(cmd.Path) - if err != nil { + if !isShellCommand(cmd.Path) { c.State = WARN return } @@ -111,7 +111,6 @@ func (c *Check) Run(verbose bool) { cs[i].Args, ), ) - i++ } @@ -160,18 +159,44 @@ func (c *Check) Run(verbose bool) { } } -// textToCommand transforms a text representation of commands to be +// textToCommand transforms an input text representation of commands to be // run into a slice of commands. // TODO: Make this more robust. func textToCommand(s string) []*exec.Cmd { cmds := []*exec.Cmd{} cp := strings.Split(s, "|") - // fmt.Println("check.toCommand:", cp) for _, v := range cp { v = strings.Trim(v, " ") - cs := strings.Split(v, " ") + + // TODO: + // GOAL: To split input text into arguments for exec.Cmd. + // + // CHALLENGE: The input text may contain quoted strings that + // must be passed as a unit to exec.Cmd. + // eg. bash -c 'foo bar' + // 'foo bar' must be passed as unit to exec.Cmd if not the command + // will fail when it is executed. + // eg. exec.Cmd("bash", "-c", "foo bar") + // + // PROBLEM: Current solution assumes the grouped string will always + // be at the end of the input text. + re := regexp.MustCompile(`^(.*)(['"].*['"])$`) + grps := re.FindStringSubmatch(v) + + var cs []string + if len(grps) > 0 { + s := strings.Trim(grps[1], " ") + cs = strings.Split(s, " ") + + s1 := grps[len(grps)-1] + s1 = strings.Trim(s1, "'\"") + + cs = append(cs, s1) + } else { + cs = strings.Split(v, " ") + } cmd := exec.Command(cs[0], cs[1:]...) cmds = append(cmds, cmd) @@ -179,3 +204,18 @@ func textToCommand(s string) []*exec.Cmd { return cmds } + +func isShellCommand(s string) bool { + cmd := exec.Command("/bin/sh", "-c", "command -v "+s) + + out, err := cmd.Output() + if err != nil { + fmt.Fprintf(os.Stderr, "%s\n", err) + os.Exit(1) + } + + if strings.Contains(string(out), s) { + return true + } + return false +} diff --git a/check/test.go b/check/test.go index f89e989..06c1b93 100644 --- a/check/test.go +++ b/check/test.go @@ -38,6 +38,7 @@ const ( type testItem struct { Flag string + Output string Value string Set bool Compare compare @@ -57,14 +58,22 @@ func (t *testItem) execute(s string) (result bool) { isset := match if isset && t.Compare.Op != "" { - pttn := t.Flag + `=([^\s,]*) *` + // Expects flags in the form; + // --flag=somevalue + // --flag + // somevalue + pttn := `(` + t.Flag + `)(=)*([^\s,]*) *` flagRe := regexp.MustCompile(pttn) vals := flagRe.FindStringSubmatch(s) if len(vals) > 0 { - flagVal = vals[1] + if vals[3] != "" { + flagVal = vals[3] + } else { + flagVal = vals[1] + } } else { - fmt.Fprintf(os.Stderr, "expected value for %s but none found\n", t.Flag) + fmt.Fprintf(os.Stderr, "invalid flag in testitem definition") os.Exit(1) } From 0933fa420b887bd444a6c9b04ff5893e71746069 Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Sat, 12 Aug 2017 18:54:33 +0000 Subject: [PATCH 2/5] Add new tests and clean up old tests. --- check/data | 93 +++++++++++++--------------------------------- check/test_test.go | 57 ++++++++++++---------------- 2 files changed, 48 insertions(+), 102 deletions(-) diff --git a/check/data b/check/data index 8e03efa..73575b3 100644 --- a/check/data +++ b/check/data @@ -7,59 +7,42 @@ groups: - id: 1.1 text: "Kube-apiserver" checks: - - id: 1.1.1 - text: "Ensure that the --allow-privileged argument is set (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 0 + text: "flag is set" tests: test_items: - - - flag: "--allow-privileged" + - flag: "--allow-privileged" set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.2 - text: "Ensure that the --basic-auth argument is not set (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 1 + text: "flag is not set" tests: test_item: - - - flag: "--basic-auth" + - flag: "--basic-auth" set: false - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.3 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 2 + text: "flag value is set to some value" tests: test_items: - - - flag: "--insecure-port" + - flag: "--insecure-port" compare: op: eq value: 0 set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.4 - text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 3 + text: "flag value is greater than or equal some number" tests: test_items: - - - flag: "--audit-log-maxage" + - flag: "--audit-log-maxage" compare: op: gte value: 30 set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.5 - text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 4 + text: "flag value is less than some number" tests: test_items: - flag: "--max-backlog" @@ -67,26 +50,19 @@ groups: op: lt value: 30 set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.6 - text: "Ensure admission control does not include AlwaysAdmit (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 5 + text: "flag value does not have some value" tests: test_items: - - - flag: "--admission-control" + - flag: "--admission-control" compare: op: nothave value: AlwaysAdmit set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.7 - text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 6 + text: "test AND binary operation" tests: bin_op: and test_items: @@ -94,17 +70,13 @@ groups: set: true - flag: "--kubelet-clientkey" set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.8 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 7 + text: "test OR binary operation" tests: bin_op: or test_items: - - - flag: "--secure-port" + - flag: "--secure-port" compare: op: eq value: 0 @@ -112,28 +84,13 @@ groups: - flag: "--secure-port" set: false - remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port." - scored: true - - id: 1.4.1 - text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/kubernetes/apiserver" + - id: 8 + text: "test flag with arbitrary text" tests: test_items: - flag: "644" - set: true - remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver" - scored: true - - - id: 2.1.14 - text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" - audit: "ps -ef | grep kubelet | grep -v grep" - tests: - test_items: - - flag: "KubeletClient" compare: op: eq - value: true + value: "644" set: true - remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver" - scored: true diff --git a/check/test_test.go b/check/test_test.go index 7fc5832..f605309 100644 --- a/check/test_test.go +++ b/check/test_test.go @@ -16,6 +16,8 @@ package check import ( "io/ioutil" + "os" + "strings" "testing" ) @@ -30,79 +32,66 @@ func init() { if err != nil { panic("Failed reading test data: " + err.Error()) } - controls, err = NewControls(MASTER, in) + + // substitute variables in data file + user := os.Getenv("USER") + s := strings.Replace(string(in), "$user", user, -1) + + controls, err = NewControls(MASTER, []byte(s)) + // controls, err = NewControls(MASTER, in) if err != nil { panic("Failed creating test controls: " + err.Error()) } } func TestTestExecute(t *testing.T) { + cases := []struct { - *tests - testfor string - str string + *Check + str string }{ { - controls.Groups[0].Checks[0].Tests, - "flag set", + controls.Groups[0].Checks[0], "2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40", }, { - controls.Groups[0].Checks[1].Tests, - "flag not set", + controls.Groups[0].Checks[1], "2:45 ../kubernetes/kube-apiserver --allow-privileged=false", }, { - controls.Groups[0].Checks[2].Tests, - "flag and value set", + controls.Groups[0].Checks[2], "niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth", }, { - controls.Groups[0].Checks[3].Tests, - "flag value greater than value", + controls.Groups[0].Checks[3], "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option", }, { - controls.Groups[0].Checks[4].Tests, - "flag value less than value", + controls.Groups[0].Checks[4], "2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option", }, { - controls.Groups[0].Checks[5].Tests, - "flag value does not have", + controls.Groups[0].Checks[5], "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40", }, { - controls.Groups[0].Checks[6].Tests, - "AND multiple tests, all testitems pass", + controls.Groups[0].Checks[6], "2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", }, { - controls.Groups[0].Checks[7].Tests, - "OR multiple tests", + controls.Groups[0].Checks[7], "2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", }, { - controls.Groups[0].Checks[8].Tests, - "text", + controls.Groups[0].Checks[8], "644", }, - { - controls.Groups[0].Checks[9].Tests, - "flag value is comma-separated", - "2:35 ../kubelet --features-gates=KubeletClient=true,KubeletServer=true", - }, - { - controls.Groups[0].Checks[9].Tests, - "flag value is comma-separated", - "2:35 ../kubelet --features-gates=KubeletServer=true,KubeletClient=true", - }, } for _, c := range cases { - res := c.tests.execute(c.str) + res := c.Tests.execute(c.str) if !res { - t.Errorf("%s, expected:%v, got:%v\n", c.testfor, true, res) + t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res) } } } From 7c7d477d78b9aff21a51bc078fe69e4d3703fbeb Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Sat, 12 Aug 2017 19:10:31 +0000 Subject: [PATCH 3/5] Import os to fix issue in previous merge commit. --- check/check.go | 1 + 1 file changed, 1 insertion(+) diff --git a/check/check.go b/check/check.go index 7a41b19..4f91340 100644 --- a/check/check.go +++ b/check/check.go @@ -18,6 +18,7 @@ import ( "bytes" "fmt" "io" + "os" "os/exec" "regexp" "strings" From e6f2b4d4fed8d735a61281d80df24d982326d85f Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Tue, 15 Aug 2017 15:47:01 +0000 Subject: [PATCH 4/5] Add config checks for permissions stricter that 644 to definition files. --- cfg/master.yaml | 30 ++++++++++++++++++++++++++++++ cfg/node.yaml | 33 +++++++++++++++++++++++++++++++++ cmd/util.go | 6 ++++-- 3 files changed, 67 insertions(+), 2 deletions(-) diff --git a/cfg/master.yaml b/cfg/master.yaml index 7005f95..e02f76f 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -599,12 +599,18 @@ groups: # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $apiserverconf" scored: true @@ -627,12 +633,18 @@ groups: text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $config" scored: true @@ -655,12 +667,18 @@ groups: text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $schedulerconf" scored: true @@ -683,12 +701,18 @@ groups: text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $etcdconf" scored: true @@ -711,12 +735,18 @@ groups: text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $flanneldconf" scored: true diff --git a/cfg/node.yaml b/cfg/node.yaml index 0b5b90b..5e43638 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -223,8 +223,17 @@ groups: text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $config" @@ -248,12 +257,18 @@ groups: text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: 644 set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $kubeletconf" scored: true @@ -273,8 +288,17 @@ groups: text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $proxyconf" @@ -296,8 +320,17 @@ groups: 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the following command to modify the file permissions of the --client-ca-file \nchmod 644 " diff --git a/cmd/util.go b/cmd/util.go index 937e3e0..64950f2 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -69,7 +69,8 @@ func verifyConf(confPath ...string) { for _, c := range confPath { if _, err := os.Stat(c); err != nil && os.IsNotExist(err) { - continueWithError(err, "") + e := fmt.Errorf("configuration file %s not found", c) + continueWithError(e, "") missing += c + ", " } } @@ -93,8 +94,9 @@ func verifyBin(binPath ...string) { bin = bin + "," + b binSlice = append(binSlice, b) if err != nil { + e := fmt.Errorf("executable file %s not found", b) + continueWithError(e, "") missing += b + ", " - continueWithError(err, "") } } bin = strings.Trim(bin, ",") From 086bb629db1f8b86c31c0ac3388bc1316faef36a Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Tue, 15 Aug 2017 15:56:37 +0000 Subject: [PATCH 5/5] Add 640 to permission checks. --- cfg/master.yaml | 25 +++++++++++++++++++++++++ cfg/node.yaml | 20 ++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/cfg/master.yaml b/cfg/master.yaml index e02f76f..f54bf6a 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -606,6 +606,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -640,6 +645,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -674,6 +684,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -708,6 +723,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -742,6 +762,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq diff --git a/cfg/node.yaml b/cfg/node.yaml index 5e43638..dfff376 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -230,6 +230,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -264,6 +269,11 @@ groups: op: eq value: 644 set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -295,6 +305,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq @@ -327,6 +342,11 @@ groups: op: eq value: "644" set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true - flag: "600" compare: op: eq