From 60f2fb592afe072e7190803a5abc47d20fd47b04 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Mon, 16 Mar 2020 14:25:46 +0200 Subject: [PATCH] Add option to do bitmask (#565) * Add option to do bitwise and between two value in order to compare permissions * Update test.go Removed self debug note * Update test_test.go FIx typo * Update test.go * Update test.go Switched between max and requested value, because accidentally assigned them oppositely and remove old function relate to octal base * Update test_test.go * Update test_test.go --- cfg/cis-1.3/master.yaml | 267 ++++------------------------------- cfg/cis-1.3/node.yaml | 154 ++------------------ cfg/cis-1.4/master.yaml | 306 ++++------------------------------------ cfg/cis-1.4/node.yaml | 172 +++------------------- cfg/cis-1.5/master.yaml | 267 ++++------------------------------- cfg/cis-1.5/node.yaml | 154 ++------------------ cfg/rh-0.7/master.yaml | 180 ++++------------------- cfg/rh-0.7/node.yaml | 148 ++----------------- check/test.go | 10 +- check/test_test.go | 13 ++ 10 files changed, 190 insertions(+), 1481 deletions(-) diff --git a/cfg/cis-1.3/master.yaml b/cfg/cis-1.3/master.yaml index eae6295..2239cee 100644 --- a/cfg/cis-1.3/master.yaml +++ b/cfg/cis-1.3/master.yaml @@ -844,45 +844,14 @@ groups: - id: 1.4.1 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -909,45 +878,14 @@ groups: - id: 1.4.3 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -974,45 +912,14 @@ groups: - id: 1.4.5 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1039,45 +946,14 @@ groups: - id: 1.4.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1104,7 +980,7 @@ groups: - id: 1.4.9 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" - audit: "stat -c %a " + audit: "stat -c permissions=%a " type: "manual" remediation: | [Manual test] @@ -1127,12 +1003,12 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a + audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a tests: test_items: - - flag: "700" + - flag: "permissions" compare: - op: eq + op: bitmask value: "700" set: true remediation: | @@ -1161,45 +1037,14 @@ groups: - id: 1.4.13 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1225,45 +1070,14 @@ groups: - id: 1.4.15 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/scheduler.conf @@ -1287,45 +1101,14 @@ groups: - id: 1.4.17 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf diff --git a/cfg/cis-1.3/node.yaml b/cfg/cis-1.3/node.yaml index 4928416..9111be1 100644 --- a/cfg/cis-1.3/node.yaml +++ b/cfg/cis-1.3/node.yaml @@ -358,45 +358,14 @@ groups: checks: - id: 2.2.1 text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' tests: test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -421,45 +390,14 @@ groups: - id: 2.2.3 text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" + - flag: "permissions" set: true - - flag: "600" compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -481,45 +419,14 @@ groups: - id: 2.2.5 text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' + audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" + - flag: "permissions" set: true - - flag: "440" compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -576,45 +483,14 @@ groups: - id: 2.2.10 text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" + - flag: "permissions" set: true - - flag: "440" compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the following command (using the config file location identied in the Audit step) chmod 644 $kubeletconf diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml index c229917..4939ec6 100644 --- a/cfg/cis-1.4/master.yaml +++ b/cfg/cis-1.4/master.yaml @@ -846,45 +846,14 @@ groups: - id: 1.4.1 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -911,45 +880,14 @@ groups: - id: 1.4.3 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -976,45 +914,14 @@ groups: - id: 1.4.5 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1041,45 +948,14 @@ groups: - id: 1.4.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1106,7 +982,7 @@ groups: - id: 1.4.9 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" - audit: "stat -c %a " + audit: "stat -c permissions=%a " type: "manual" remediation: | [Manual test] @@ -1129,12 +1005,12 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a + audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a tests: test_items: - - flag: "700" + - flag: "permissions" compare: - op: eq + op: bitmask value: "700" set: true remediation: | @@ -1163,45 +1039,14 @@ groups: - id: 1.4.13 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1227,45 +1072,14 @@ groups: - id: 1.4.15 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/scheduler.conf @@ -1289,45 +1103,14 @@ groups: - id: 1.4.17 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf @@ -1370,43 +1153,12 @@ groups: audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt" type: "manual" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | [Manual test] Run the below command (based on the file location on your system) on the master node. @@ -1419,9 +1171,9 @@ groups: type: "manual" tests: test_items: - - flag: "600" + - flag: "permissions" compare: - op: eq + op: bitmask value: "600" set: true remediation: | diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml index ed7ac42..1f0943b 100644 --- a/cfg/cis-1.4/node.yaml +++ b/cfg/cis-1.4/node.yaml @@ -341,45 +341,14 @@ groups: checks: - id: 2.2.1 text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" + - flag: "permissions" set: true - - flag: "440" compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -404,45 +373,14 @@ groups: - id: 2.2.3 text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" + - flag: "permissions" set: true - - flag: "000" compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -464,45 +402,14 @@ groups: - id: 2.2.5 text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' + audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" + - flag: "permissions" set: true - - flag: "640" compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -524,25 +431,15 @@ groups: - id: 2.2.7 text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) - audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'" + audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c permissions=%a $kubeletcafile; fi'" tests: bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true remediation: | Run the following command to modify the file permissions of the --client-ca-file chmod 644 @@ -577,45 +474,14 @@ groups: - id: 2.2.10 text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) - audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" + - flag: "permissions" set: true - - flag: "444" compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the following command (using the config file location identied in the Audit step) chmod 644 $kubeletconf diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index a6ad3bc..07845dc 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -10,45 +10,14 @@ groups: checks: - id: 1.1.1 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. @@ -73,45 +42,14 @@ groups: - id: 1.1.3 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -136,45 +74,14 @@ groups: - id: 1.1.5 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -199,45 +106,14 @@ groups: - id: 1.1.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -262,7 +138,7 @@ groups: - id: 1.1.9 text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" - audit: "stat -c %a " + audit: "stat -c permissions=%a " type: "manual" remediation: | Run the below command (based on the file location on your system) on the master node. @@ -282,12 +158,12 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a + audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a tests: test_items: - - flag: "700" + - flag: "permissions" compare: - op: eq + op: bitmask value: "700" set: true remediation: | @@ -314,45 +190,14 @@ groups: - id: 1.1.13 text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -377,45 +222,14 @@ groups: - id: 1.1.15 text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -440,45 +254,14 @@ groups: - id: 1.1.17 text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'" + audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 851ad32..8f3e5cc 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -10,45 +10,14 @@ groups: checks: - id: 4.1.1 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" - audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" + - flag: "permissions" set: true - - flag: "400" compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -70,45 +39,14 @@ groups: - id: 4.1.3 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" - audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' + audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" + - flag: "permissions" set: true - - flag: "600" compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -129,45 +67,14 @@ groups: - id: 4.1.5 text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" - audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' ' tests: test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" + - flag: "permissions" set: true - - flag: "400" compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or + op: bitmask + value: "644" remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, @@ -215,45 +122,14 @@ groups: - id: 4.1.9 text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" - audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' + audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' ' tests: test_items: - - flag: "644" + - flag: "permissions" set: true compare: - op: eq + op: bitmask value: "644" - - flag: "640" - set: true - compare: - op: eq - value: "640" - - flag: "600" - set: true - compare: - op: eq - value: "600" - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true - bin_op: or remediation: | Run the following command (using the config file location identied in the Audit step) chmod 644 $kubeletconf diff --git a/cfg/rh-0.7/master.yaml b/cfg/rh-0.7/master.yaml index d7c98e7..6ebbc3e 100644 --- a/cfg/rh-0.7/master.yaml +++ b/cfg/rh-0.7/master.yaml @@ -815,12 +815,12 @@ groups: checks: - id: 4.1 text: "Verify the OpenShift default permissions for the API server pod specification file" - audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml" + audit: "stat -c permissions=%a /etc/origin/node/pods/apiserver.yaml" tests: test_items: - - flag: "600" + - flag: "permissions" compare: - op: eq + op: bitmask value: "600" set: true remediation: | @@ -847,12 +847,12 @@ groups: - id: 4.3 text: "Verify the OpenShift default file permissions for the controller manager pod specification file" - audit: "stat -c %a /etc/origin/node/pods/controller.yaml" + audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml" tests: test_items: - - flag: "600" + - flag: "permissions" compare: - op: eq + op: bitmask value: "600" set: true remediation: | @@ -879,18 +879,18 @@ groups: - id: 4.5 text: "Verify the OpenShift default permissions for the scheduler pod specification file" - audit: "stat -c %a /etc/origin/node/pods/controller.yaml" + audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml" tests: test_items: - - flag: "600" + - flag: "permissions" compare: - op: eq + op: bitmask value: "600" set: true remediation: | Run the below command. - chmod 600 stat -c %a /etc/origin/node/pods/controller.yaml + chmod 600 stat -c permissions=%a /etc/origin/node/pods/controller.yaml scored: true - id: 4.6 @@ -911,12 +911,12 @@ groups: - id: 4.7 text: "Verify the OpenShift default etcd pod specification file permissions" - audit: "stat -c %a /etc/origin/node/pods/etcd.yaml" + audit: "stat -c permissions=%a /etc/origin/node/pods/etcd.yaml" tests: test_items: - - flag: "600" + - flag: "permissions" compare: - op: eq + op: bitmask value: "600" set: true remediation: | @@ -943,45 +943,14 @@ groups: - id: 4.9 text: "Verify the default OpenShift Container Network Interface file permissions" - audit: "stat -c %a /etc/origin/openvswitch/ /etc/cni/net.d/" + audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command. @@ -1006,12 +975,12 @@ groups: - id: 4.11 text: "Verify the default OpenShift etcd data directory permissions" - audit: "stat -c %a /var/lib/etcd" + audit: "stat -c permissions=%a /var/lib/etcd" tests: test_items: - - flag: "700" + - flag: "permissions" compare: - op: eq + op: bitmask value: "700" set: true remediation: | @@ -1040,45 +1009,14 @@ groups: - id: 4.13 text: "Verify the default OpenShift admin.conf file permissions" - audit: "stat -c %a /etc/origin/master/admin.kubeconfig" + audit: "stat -c permissions=%a /etc/origin/master/admin.kubeconfig" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command. @@ -1103,45 +1041,14 @@ groups: - id: 4.15 text: "Verify the default OpenShift scheduler.conf file permissions" - audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig" + audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command. @@ -1166,45 +1073,14 @@ groups: - id: 4.17 text: "Verify the default Openshift controller-manager.conf file permissions" - audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig" + audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command. diff --git a/cfg/rh-0.7/node.yaml b/cfg/rh-0.7/node.yaml index 23d116f..62df9ce 100644 --- a/cfg/rh-0.7/node.yaml +++ b/cfg/rh-0.7/node.yaml @@ -213,45 +213,14 @@ groups: checks: - id: 8.1 text: "Verify the OpenShift default permissions for the kubelet.conf file" - audit: "stat -c %a /etc/origin/node/node.kubeconfig" + audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig @@ -274,45 +243,14 @@ groups: - id: 8.3 text: "Verify the kubelet service file permissions of 644" - audit: "stat -c %a $nodesvc" + audit: "stat -c permissions=%a $nodesvc" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command on each worker node. chmod 644 $nodesvc @@ -335,45 +273,14 @@ groups: - id: 8.5 text: "Verify the OpenShift default permissions for the proxy kubeconfig file" - audit: "stat -c %a /etc/origin/node/node.kubeconfig" + audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig @@ -396,45 +303,14 @@ groups: - id: 8.7 text: "Verify the OpenShift default permissions for the certificate authorities file." - audit: "stat -c %a /etc/origin/node/client-ca.crt" + audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt" tests: - bin_op: or test_items: - - flag: "644" + - flag: "permissions" compare: - op: eq + op: bitmask value: "644" set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - - flag: "444" - compare: - op: eq - value: "444" - set: true - - flag: "440" - compare: - op: eq - value: "440" - set: true - - flag: "400" - compare: - op: eq - value: "400" - set: true - - flag: "000" - compare: - op: eq - value: "000" - set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/client-ca.crt diff --git a/check/test.go b/check/test.go index ece8ba9..2f7a288 100644 --- a/check/test.go +++ b/check/test.go @@ -210,8 +210,16 @@ func compareOp(tCompareOp string, flagVal string, tCompareValue string) (string, target := splitAndRemoveLastSeparator(tCompareValue, defaultArraySeparator) testResult = allElementsValid(s, target) + case "bitmask": + expectedResultPattern = "bitmask '%s' AND '%s'" + requested, err := strconv.ParseInt(flagVal, 8, 64) + max, err := strconv.ParseInt(tCompareValue, 8, 64) + if err != nil { + fmt.Fprintf(os.Stderr, "Not numeric value - flag: %q - compareValue: %q %v\n", flagVal, tCompareValue, err) + os.Exit(1) + } + testResult = (max & requested) == requested } - if expectedResultPattern == "" { return expectedResultPattern, testResult } diff --git a/check/test_test.go b/check/test_test.go index 5323dc9..ccd596f 100644 --- a/check/test_test.go +++ b/check/test_test.go @@ -666,6 +666,19 @@ func TestCompareOp(t *testing.T) { {label: "op=valid_elements, valid_elements expectedResultPattern empty", op: "valid_elements", flagVal: "a,b", compareValue: "", expectedResultPattern: "'a,b' contains valid elements from ''", testResult: false}, + // Test Op "bitmask" + {label: "op=bitmask, 644 AND 640", op: "bitmask", flagVal: "640", + compareValue: "644", expectedResultPattern: "bitmask '640' AND '644'", + testResult: true}, + {label: "op=bitmask, 644 AND 777", op: "bitmask", flagVal: "777", + compareValue: "644", expectedResultPattern: "bitmask '777' AND '644'", + testResult: false}, + {label: "op=bitmask, 644 AND 444", op: "bitmask", flagVal: "444", + compareValue: "644", expectedResultPattern: "bitmask '444' AND '644'", + testResult: true}, + {label: "op=bitmask, 644 AND 211", op: "bitmask", flagVal: "211", + compareValue: "644", expectedResultPattern: "bitmask '211' AND '644'", + testResult: false}, } for _, c := range cases {