arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Add option to do bitmask (#565)

Browse Source 
* Add option to do bitwise and between two value in order to compare permissions

* Update test.go

Removed self debug note

* Update test_test.go

FIx typo

* Update test.go

* Update test.go

Switched between max and requested value, because accidentally assigned them oppositely  and remove old function relate to octal base

* Update test_test.go

* Update test_test.go
pull/556/head^2
yoavrotems 4 years ago committed by GitHub
parent 451721a1cf
commit 60f2fb592a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 190 additions and 1481 deletions
Show Stats Download Patch File Download Diff File

267
cfg/cis-1.3/master.yaml
Unescape View File

@ -844,45 +844,14 @@ groups:
- id: 1.4.1
text: "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -909,45 +878,14 @@ groups:
- id: 1.4.3
text: "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -974,45 +912,14 @@ groups:
- id: 1.4.5
text: "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1039,45 +946,14 @@ groups:
- id: 1.4.7
text: "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1104,7 +980,7 @@ groups:
- id: 1.4.9
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
audit: "stat -c permissions=%a <path/to/cni/files>"
type: "manual"
remediation: |
[Manual test]
@ -1127,12 +1003,12 @@ groups:
- id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "700"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "700"
set: true
remediation: |
@ -1161,45 +1037,14 @@ groups:
- id: 1.4.13
text: "Ensure that the admin.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1225,45 +1070,14 @@ groups:
- id: 1.4.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@ -1287,45 +1101,14 @@ groups:
- id: 1.4.17
text: "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf

154
cfg/cis-1.3/node.yaml
Unescape View File

@ -358,45 +358,14 @@ groups:
checks:
- id: 2.2.1
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
@ -421,45 +390,14 @@ groups:
- id: 2.2.3
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
- flag: "permissions"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
@ -481,45 +419,14 @@ groups:
- id: 2.2.5
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
- flag: "permissions"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
@ -576,45 +483,14 @@ groups:
- id: 2.2.10
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
- flag: "permissions"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf

306
cfg/cis-1.4/master.yaml
Unescape View File

@ -846,45 +846,14 @@ groups:
- id: 1.4.1
text: "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -911,45 +880,14 @@ groups:
- id: 1.4.3
text: "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -976,45 +914,14 @@ groups:
- id: 1.4.5
text: "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1041,45 +948,14 @@ groups:
- id: 1.4.7
text: "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1106,7 +982,7 @@ groups:
- id: 1.4.9
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
audit: "stat -c permissions=%a <path/to/cni/files>"
type: "manual"
remediation: |
[Manual test]
@ -1129,12 +1005,12 @@ groups:
- id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "700"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "700"
set: true
remediation: |
@ -1163,45 +1039,14 @@ groups:
- id: 1.4.13
text: "Ensure that the admin.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1227,45 +1072,14 @@ groups:
- id: 1.4.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@ -1289,45 +1103,14 @@ groups:
- id: 1.4.17
text: "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
@ -1370,43 +1153,12 @@ groups:
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
type: "manual"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
@ -1419,9 +1171,9 @@ groups:
type: "manual"
tests:
test_items:
- flag: "600"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "600"
set: true
remediation: |

172
cfg/cis-1.4/node.yaml
Unescape View File

@ -341,45 +341,14 @@ groups:
checks:
- id: 2.2.1
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
- flag: "permissions"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
@ -404,45 +373,14 @@ groups:
- id: 2.2.3
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
- flag: "permissions"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
@ -464,45 +402,14 @@ groups:
- id: 2.2.5
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
- flag: "permissions"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
@ -524,25 +431,15 @@ groups:
- id: 2.2.7
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c permissions=%a $kubeletcafile; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
@ -577,45 +474,14 @@ groups:
- id: 2.2.10
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
- flag: "permissions"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf

267
cfg/cis-1.5/master.yaml
Unescape View File

@ -10,45 +10,14 @@ groups:
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the
master node.
@ -73,45 +42,14 @@ groups:
- id: 1.1.3
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -136,45 +74,14 @@ groups:
- id: 1.1.5
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -199,45 +106,14 @@ groups:
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -262,7 +138,7 @@ groups:
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
audit: "stat -c permissions=%a <path/to/cni/files>"
type: "manual"
remediation: |
Run the below command (based on the file location on your system) on the master node.
@ -282,12 +158,12 @@ groups:
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "700"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "700"
set: true
remediation: |
@ -314,45 +190,14 @@ groups:
- id: 1.1.13
text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -377,45 +222,14 @@ groups:
- id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -440,45 +254,14 @@ groups:
- id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,

154
cfg/cis-1.5/node.yaml
Unescape View File

@ -10,45 +10,14 @@ groups:
checks:
- id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
- flag: "permissions"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
@ -70,45 +39,14 @@ groups:
- id: 4.1.3
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
- flag: "permissions"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
@ -129,45 +67,14 @@ groups:
- id: 4.1.5
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
- flag: "permissions"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
@ -215,45 +122,14 @@ groups:
- id: 4.1.9
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "644"
- flag: "permissions"
set: true
compare:
op: eq
op: bitmask
value: "644"
- flag: "640"
set: true
compare:
op: eq
value: "640"
- flag: "600"
set: true
compare:
op: eq
value: "600"
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf

180
cfg/rh-0.7/master.yaml
Unescape View File

@ -815,12 +815,12 @@ groups:
checks:
- id: 4.1
text: "Verify the OpenShift default permissions for the API server pod specification file"
audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml"
audit: "stat -c permissions=%a /etc/origin/node/pods/apiserver.yaml"
tests:
test_items:
- flag: "600"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "600"
set: true
remediation: |
@ -847,12 +847,12 @@ groups:
- id: 4.3
text: "Verify the OpenShift default file permissions for the controller manager pod specification file"
audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml"
tests:
test_items:
- flag: "600"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "600"
set: true
remediation: |
@ -879,18 +879,18 @@ groups:
- id: 4.5
text: "Verify the OpenShift default permissions for the scheduler pod specification file"
audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml"
tests:
test_items:
- flag: "600"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "600"
set: true
remediation: |
Run the below command.
chmod 600 stat -c %a /etc/origin/node/pods/controller.yaml
chmod 600 stat -c permissions=%a /etc/origin/node/pods/controller.yaml
scored: true
- id: 4.6
@ -911,12 +911,12 @@ groups:
- id: 4.7
text: "Verify the OpenShift default etcd pod specification file permissions"
audit: "stat -c %a /etc/origin/node/pods/etcd.yaml"
audit: "stat -c permissions=%a /etc/origin/node/pods/etcd.yaml"
tests:
test_items:
- flag: "600"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "600"
set: true
remediation: |
@ -943,45 +943,14 @@ groups:
- id: 4.9
text: "Verify the default OpenShift Container Network Interface file permissions"
audit: "stat -c %a /etc/origin/openvswitch/ /etc/cni/net.d/"
audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command.
@ -1006,12 +975,12 @@ groups:
- id: 4.11
text: "Verify the default OpenShift etcd data directory permissions"
audit: "stat -c %a /var/lib/etcd"
audit: "stat -c permissions=%a /var/lib/etcd"
tests:
test_items:
- flag: "700"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "700"
set: true
remediation: |
@ -1040,45 +1009,14 @@ groups:
- id: 4.13
text: "Verify the default OpenShift admin.conf file permissions"
audit: "stat -c %a /etc/origin/master/admin.kubeconfig"
audit: "stat -c permissions=%a /etc/origin/master/admin.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command.
@ -1103,45 +1041,14 @@ groups:
- id: 4.15
text: "Verify the default OpenShift scheduler.conf file permissions"
audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command.
@ -1166,45 +1073,14 @@ groups:
- id: 4.17
text: "Verify the default Openshift controller-manager.conf file permissions"
audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command.

148
cfg/rh-0.7/node.yaml
Unescape View File

@ -213,45 +213,14 @@ groups:
checks:
- id: 8.1
text: "Verify the OpenShift default permissions for the kubelet.conf file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
@ -274,45 +243,14 @@ groups:
- id: 8.3
text: "Verify the kubelet service file permissions of 644"
audit: "stat -c %a $nodesvc"
audit: "stat -c permissions=%a $nodesvc"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 $nodesvc
@ -335,45 +273,14 @@ groups:
- id: 8.5
text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
@ -396,45 +303,14 @@ groups:
- id: 8.7
text: "Verify the OpenShift default permissions for the certificate authorities file."
audit: "stat -c %a /etc/origin/node/client-ca.crt"
audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt"
tests:
bin_op: or
test_items:
- flag: "644"
- flag: "permissions"
compare:
op: eq
op: bitmask
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt

10
check/test.go
Unescape View File

@ -210,8 +210,16 @@ func compareOp(tCompareOp string, flagVal string, tCompareValue string) (string,
target := splitAndRemoveLastSeparator(tCompareValue, defaultArraySeparator)
testResult = allElementsValid(s, target)
case "bitmask":
expectedResultPattern = "bitmask '%s' AND '%s'"
requested, err := strconv.ParseInt(flagVal, 8, 64)
max, err := strconv.ParseInt(tCompareValue, 8, 64)
if err != nil {
fmt.Fprintf(os.Stderr, "Not numeric value - flag: %q - compareValue: %q %v\n", flagVal, tCompareValue, err)
os.Exit(1)
}
testResult = (max & requested) == requested
}
if expectedResultPattern == "" {
return expectedResultPattern, testResult
}

13
check/test_test.go
Unescape View File

@ -666,6 +666,19 @@ func TestCompareOp(t *testing.T) {
{label: "op=valid_elements, valid_elements expectedResultPattern empty", op: "valid_elements", flagVal: "a,b",
compareValue: "", expectedResultPattern: "'a,b' contains valid elements from ''",
testResult: false},
// Test Op "bitmask"
{label: "op=bitmask, 644 AND 640", op: "bitmask", flagVal: "640",
compareValue: "644", expectedResultPattern: "bitmask '640' AND '644'",
testResult: true},
{label: "op=bitmask, 644 AND 777", op: "bitmask", flagVal: "777",
compareValue: "644", expectedResultPattern: "bitmask '777' AND '644'",
testResult: false},
{label: "op=bitmask, 644 AND 444", op: "bitmask", flagVal: "444",
compareValue: "644", expectedResultPattern: "bitmask '444' AND '644'",
testResult: true},
{label: "op=bitmask, 644 AND 211", op: "bitmask", flagVal: "211",
compareValue: "644", expectedResultPattern: "bitmask '211' AND '644'",
testResult: false},
}
for _, c := range cases {

Write Preview
Loading…
Cancel
Save