@ -846,45 +846,14 @@ groups:
- id : 1.4 .1
- id : 1.4 .1
text : "Ensure that the API server pod specification file permissions are
text : "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)"
set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit : "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions= %a $apiserverconf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
@ -911,45 +880,14 @@ groups:
- id : 1.4 .3
- id : 1.4 .3
text : "Ensure that the controller manager pod specification file
text : "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)"
permissions are set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
audit : "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions= %a $controllermanagerconf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
@ -976,45 +914,14 @@ groups:
- id : 1.4 .5
- id : 1.4 .5
text : "Ensure that the scheduler pod specification file permissions are set
text : "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)"
to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
audit : "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions= %a $schedulerconf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
@ -1041,45 +948,14 @@ groups:
- id : 1.4 .7
- id : 1.4 .7
text : "Ensure that the etcd pod specification file permissions are set to
text : "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)"
644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
audit : "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions= %a $etcdconf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
@ -1106,7 +982,7 @@ groups:
- id : 1.4 .9
- id : 1.4 .9
text : "Ensure that the Container Network Interface file permissions are
text : "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
set to 644 or more restrictive (Not Scored)"
audit : "stat -c %a <path/to/cni/files>"
audit : "stat -c permissions= %a <path/to/cni/files>"
type : "manual"
type : "manual"
remediation : |
remediation : |
[ Manual test]
[ Manual test]
@ -1129,12 +1005,12 @@ groups:
- id : 1.4 .11
- id : 1.4 .11
text : "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
text : "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit : ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
audit : ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions= %a
tests:
tests:
test_items:
test_items:
- flag : " 700 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "700"
value : "700"
set : true
set : true
remediation : |
remediation : |
@ -1163,45 +1039,14 @@ groups:
- id : 1.4 .13
- id : 1.4 .13
text : "Ensure that the admin.conf file permissions are set to 644 or
text : "Ensure that the admin.conf file permissions are set to 644 or
more restrictive (Scored)"
more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions= %a /etc/kubernetes/admin.conf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example,
For example,
@ -1227,45 +1072,14 @@ groups:
- id : 1.4 .15
- id : 1.4 .15
text : "Ensure that the scheduler.conf file permissions are set to 644 or
text : "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)"
more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions= %a /etc/kubernetes/scheduler.conf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@ -1289,45 +1103,14 @@ groups:
- id : 1.4 .17
- id : 1.4 .17
text : "Ensure that the controller-manager.conf file permissions are set
text : "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)"
to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions= %a /etc/kubernetes/controller-manager.conf; fi'"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
@ -1370,43 +1153,12 @@ groups:
audit : "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
audit : "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
type : "manual"
type : "manual"
tests:
tests:
bin_op : or
test_items:
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "644"
value : "644"
set : true
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
remediation : |
[ Manual test]
[ Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
@ -1419,9 +1171,9 @@ groups:
type : "manual"
type : "manual"
tests:
tests:
test_items:
test_items:
- flag : " 600 "
- flag : " permissions "
compare:
compare:
op : eq
op : bitmask
value : "600"
value : "600"
set : true
set : true
remediation : |
remediation : |