Add option to do bitmask (#565)

* Add option to do bitwise and between two value in order to compare permissions * Update test.go Removed self debug note * Update test_test.go FIx typo * Update test.go * Update test.go Switched between max and requested value, because accidentally assigned them oppositely and remove old function relate to octal base * Update test_test.go * Update test_test.go
4 years ago · 60f2fb592a
parent 451721a1cf
commit 60f2fb592a
10 changed files with 190 additions and 1481 deletions
--- a/cfg/cis-1.3/master.yaml
+++ b/cfg/cis-1.3/master.yaml
@ -844,45 +844,14 @@ groups:
      - id: 1.4.1
        text: "Ensure that the API server pod specification file permissions are
        set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
+        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -909,45 +878,14 @@ groups:
      - id: 1.4.3
        text: "Ensure that the controller manager pod specification file
        permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
+        audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -974,45 +912,14 @@ groups:
      - id: 1.4.5
        text: "Ensure that the scheduler pod specification file permissions are set
        to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
+        audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -1039,45 +946,14 @@ groups:
      - id: 1.4.7
        text: "Ensure that the etcd pod specification file permissions are set to
        644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
+        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -1104,7 +980,7 @@ groups:
      - id: 1.4.9
        text: "Ensure that the Container Network Interface file permissions are
        set to 644 or more restrictive (Not Scored)"
-        audit: "stat -c %a <path/to/cni/files>"
+        audit: "stat -c permissions=%a <path/to/cni/files>"
        type: "manual"
        remediation: |
          [Manual test]
@ -1127,12 +1003,12 @@ groups:
      - id: 1.4.11
        text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
-        audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
+        audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
        tests:
          test_items:
-            - flag: "700"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "700"
              set: true
        remediation: |
@ -1161,45 +1037,14 @@ groups:
      - id: 1.4.13
        text: "Ensure that the admin.conf file permissions are set to 644 or
        more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -1225,45 +1070,14 @@ groups:
      - id: 1.4.15
        text: "Ensure that the scheduler.conf file permissions are set to 644 or
        more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the
          master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@ -1287,45 +1101,14 @@ groups:
      - id: 1.4.17
        text: "Ensure that the controller-manager.conf file permissions are set
        to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the
          master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
--- a/cfg/cis-1.3/node.yaml
+++ b/cfg/cis-1.3/node.yaml
@ -358,45 +358,14 @@ groups:
    checks:
      - id: 2.2.1
        text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
@ -421,45 +390,14 @@ groups:
      - id: 2.2.3
        text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
-                op: eq
+                op: bitmask
-                value: "600"
+                value: "644"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
@ -481,45 +419,14 @@ groups:
      - id: 2.2.5
        text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
-                op: eq
+                op: bitmask
-                value: "440"
+                value: "644"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
@ -576,45 +483,14 @@ groups:
      - id: 2.2.10
        text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
-                op: eq
+                op: bitmask
-                value: "440"
+                value: "644"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the following command (using the config file location identied in the Audit step)
          chmod 644 $kubeletconf
--- a/cfg/cis-1.4/master.yaml
+++ b/cfg/cis-1.4/master.yaml
@ -846,45 +846,14 @@ groups:
      - id: 1.4.1
        text: "Ensure that the API server pod specification file permissions are
        set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
+        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -911,45 +880,14 @@ groups:
      - id: 1.4.3
        text: "Ensure that the controller manager pod specification file
        permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
+        audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -976,45 +914,14 @@ groups:
      - id: 1.4.5
        text: "Ensure that the scheduler pod specification file permissions are set
        to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
+        audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -1041,45 +948,14 @@ groups:
      - id: 1.4.7
        text: "Ensure that the etcd pod specification file permissions are set to
        644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
+        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -1106,7 +982,7 @@ groups:
      - id: 1.4.9
        text: "Ensure that the Container Network Interface file permissions are
        set to 644 or more restrictive (Not Scored)"
-        audit: "stat -c %a <path/to/cni/files>"
+        audit: "stat -c permissions=%a <path/to/cni/files>"
        type: "manual"
        remediation: |
          [Manual test]
@ -1129,12 +1005,12 @@ groups:
      - id: 1.4.11
        text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
-        audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
+        audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
        tests:
          test_items:
-            - flag: "700"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "700"
              set: true
        remediation: |
@ -1163,45 +1039,14 @@ groups:
      - id: 1.4.13
        text: "Ensure that the admin.conf file permissions are set to 644 or
        more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -1227,45 +1072,14 @@ groups:
      - id: 1.4.15
        text: "Ensure that the scheduler.conf file permissions are set to 644 or
        more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the
          master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@ -1289,45 +1103,14 @@ groups:
      - id: 1.4.17
        text: "Ensure that the controller-manager.conf file permissions are set
        to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the
          master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
@ -1370,43 +1153,12 @@ groups:
        audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
        type: "manual"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          [Manual test]
          Run the below command (based on the file location on your system) on the master node.
@ -1419,9 +1171,9 @@ groups:
        type: "manual"
        tests:
          test_items:
-            - flag: "600"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "600"
              set: true
        remediation: |
--- a/cfg/cis-1.4/node.yaml
+++ b/cfg/cis-1.4/node.yaml
@ -341,45 +341,14 @@ groups:
    checks:
      - id: 2.2.1
        text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
-                op: eq
+                op: bitmask
-                value: "440"
+                value: "644"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
@ -404,45 +373,14 @@ groups:
      - id: 2.2.3
        text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
-                op: eq
+                op: bitmask
-                value: "000"
+                value: "644"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
@ -464,45 +402,14 @@ groups:
      - id: 2.2.5
        text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
-                op: eq
+                op: bitmask
-                value: "640"
+                value: "644"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker
          node. For example,
@ -524,25 +431,15 @@ groups:
      - id: 2.2.7
        text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
-        audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
+        audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c permissions=%a $kubeletcafile; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
        remediation: |
          Run the following command to modify the file permissions of the --client-ca-file
          chmod 644 <filename>
@ -577,45 +474,14 @@ groups:
      - id: 2.2.10
        text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
-        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
-                op: eq
+                op: bitmask
-                value: "444"
+                value: "644"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the following command (using the config file location identied in the Audit step)
          chmod 644 $kubeletconf
--- a/cfg/cis-1.5/master.yaml
+++ b/cfg/cis-1.5/master.yaml
@ -10,45 +10,14 @@ groups:
    checks:
      - id: 1.1.1
        text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
+        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the
          master node.
@ -73,45 +42,14 @@ groups:
      - id: 1.1.3
        text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
+        audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -136,45 +74,14 @@ groups:
      - id: 1.1.5
        text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
+        audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -199,45 +106,14 @@ groups:
      - id: 1.1.7
        text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
+        audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -262,7 +138,7 @@ groups:
      - id: 1.1.9
        text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)"
-        audit: "stat -c %a <path/to/cni/files>"
+        audit: "stat -c permissions=%a <path/to/cni/files>"
        type: "manual"
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
@ -282,12 +158,12 @@ groups:
      - id: 1.1.11
        text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
-        audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
+        audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
        tests:
          test_items:
-            - flag: "700"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "700"
              set: true
        remediation: |
@ -314,45 +190,14 @@ groups:
      - id: 1.1.13
        text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -377,45 +222,14 @@ groups:
      - id: 1.1.15
        text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
@ -440,45 +254,14 @@ groups:
      - id: 1.1.17
        text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
-        audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
+        audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command (based on the file location on your system) on the master node.
          For example,
--- a/cfg/cis-1.5/node.yaml
+++ b/cfg/cis-1.5/node.yaml
@ -10,45 +10,14 @@ groups:
    checks:
      - id: 4.1.1
        text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
-        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
-                op: eq
+                op: bitmask
-                value: "400"
+                value: "644"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
@ -70,45 +39,14 @@ groups:
      - id: 4.1.3
        text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
-        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
-                op: eq
+                op: bitmask
-                value: "600"
+                value: "644"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
@ -129,45 +67,14 @@ groups:
      - id: 4.1.5
        text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
-        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
                op: eq
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
-                op: eq
+                op: bitmask
-                value: "400"
+                value: "644"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the below command (based on the file location on your system) on the each worker node.
          For example,
@ -215,45 +122,14 @@ groups:
      - id: 4.1.9
        text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
-        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
+        audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
        tests:
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              set: true
              compare:
-                op: eq
+                op: bitmask
                value: "644"
            - flag: "640"
              set: true
              compare:
                op: eq
                value: "640"
            - flag: "600"
              set: true
              compare:
                op: eq
                value: "600"
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
          bin_op: or
        remediation: |
          Run the following command (using the config file location identied in the Audit step)
          chmod 644 $kubeletconf
--- a/cfg/rh-0.7/master.yaml
+++ b/cfg/rh-0.7/master.yaml
@ -815,12 +815,12 @@ groups:
    checks:
      - id: 4.1
        text: "Verify the OpenShift default permissions for the API server pod specification file"
-        audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml"
+        audit: "stat -c permissions=%a /etc/origin/node/pods/apiserver.yaml"
        tests:
          test_items:
-            - flag: "600"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "600"
              set: true
        remediation: |
@ -847,12 +847,12 @@ groups:
      - id: 4.3
        text: "Verify the OpenShift default file permissions for the controller manager pod specification file"
-        audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
+        audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml"
        tests:
          test_items:
-            - flag: "600"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "600"
              set: true
        remediation: |
@ -879,18 +879,18 @@ groups:
      - id: 4.5
        text: "Verify the OpenShift default permissions for the scheduler pod specification file"
-        audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
+        audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml"
        tests:
          test_items:
-            - flag: "600"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "600"
              set: true
        remediation: |
          Run the below command.
-          chmod 600 stat -c %a /etc/origin/node/pods/controller.yaml
+          chmod 600 stat -c permissions=%a /etc/origin/node/pods/controller.yaml
        scored: true
      - id: 4.6
@ -911,12 +911,12 @@ groups:
      - id: 4.7
        text: "Verify the OpenShift default etcd pod specification file permissions"
-        audit: "stat -c %a /etc/origin/node/pods/etcd.yaml"
+        audit: "stat -c permissions=%a /etc/origin/node/pods/etcd.yaml"
        tests:
          test_items:
-            - flag: "600"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "600"
              set: true
        remediation: |
@ -943,45 +943,14 @@ groups:
      - id: 4.9
        text: "Verify the default OpenShift Container Network Interface file permissions"
-        audit: "stat -c %a /etc/origin/openvswitch/ /etc/cni/net.d/"
+        audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command.
@ -1006,12 +975,12 @@ groups:
      - id: 4.11
        text: "Verify the default OpenShift etcd data directory permissions"
-        audit: "stat -c %a /var/lib/etcd"
+        audit: "stat -c permissions=%a /var/lib/etcd"
        tests:
          test_items:
-            - flag: "700"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "700"
              set: true
        remediation: |
@ -1040,45 +1009,14 @@ groups:
      - id: 4.13
        text: "Verify the default OpenShift admin.conf file permissions"
-        audit: "stat -c %a /etc/origin/master/admin.kubeconfig"
+        audit: "stat -c permissions=%a /etc/origin/master/admin.kubeconfig"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command.
@ -1103,45 +1041,14 @@ groups:
      - id: 4.15
        text: "Verify the default OpenShift scheduler.conf file permissions"
-        audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
+        audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command.
@ -1166,45 +1073,14 @@ groups:
      - id: 4.17
        text: "Verify the default Openshift controller-manager.conf file permissions"
-        audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
+        audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command.
--- a/cfg/rh-0.7/node.yaml
+++ b/cfg/rh-0.7/node.yaml
@ -213,45 +213,14 @@ groups:
    checks:
      - id: 8.1
        text: "Verify the OpenShift default permissions for the kubelet.conf file"
-        audit: "stat -c %a  /etc/origin/node/node.kubeconfig"
+        audit: "stat -c permissions=%a  /etc/origin/node/node.kubeconfig"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command on each worker node.
          chmod 644 /etc/origin/node/node.kubeconfig
@ -274,45 +243,14 @@ groups:
      - id: 8.3
        text: "Verify the kubelet service file permissions of 644"
-        audit: "stat -c %a $nodesvc"
+        audit: "stat -c permissions=%a $nodesvc"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command on each worker node.
          chmod 644 $nodesvc
@ -335,45 +273,14 @@ groups:
      - id: 8.5
        text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
-        audit: "stat -c %a /etc/origin/node/node.kubeconfig"
+        audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command on each worker node.
          chmod 644 /etc/origin/node/node.kubeconfig
@ -396,45 +303,14 @@ groups:
      - id: 8.7
        text: "Verify the OpenShift default permissions for the certificate authorities file."
-        audit: "stat -c %a /etc/origin/node/client-ca.crt"
+        audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt"
        tests:
          bin_op: or
          test_items:
-            - flag: "644"
+            - flag: "permissions"
              compare:
-                op: eq
+                op: bitmask
                value: "644"
              set: true
            - flag: "640"
              compare:
                op: eq
                value: "640"
              set: true
            - flag: "600"
              compare:
                op: eq
                value: "600"
              set: true
            - flag: "444"
              compare:
                op: eq
                value: "444"
              set: true
            - flag: "440"
              compare:
                op: eq
                value: "440"
              set: true
            - flag: "400"
              compare:
                op: eq
                value: "400"
              set: true
            - flag: "000"
              compare:
                op: eq
                value: "000"
              set: true
        remediation: |
          Run the below command on each worker node.
          chmod 644 /etc/origin/node/client-ca.crt
--- a/check/test.go
+++ b/check/test.go
@ -210,8 +210,16 @@ func compareOp(tCompareOp string, flagVal string, tCompareValue string) (string,
 		target := splitAndRemoveLastSeparator(tCompareValue, defaultArraySeparator)
 		testResult = allElementsValid(s, target)
 	case "bitmask":
 		expectedResultPattern = "bitmask '%s' AND '%s'"
 		requested, err := strconv.ParseInt(flagVal, 8, 64)
 		max, err := strconv.ParseInt(tCompareValue, 8, 64)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Not numeric value - flag: %q - compareValue: %q %v\n", flagVal, tCompareValue, err)
 			os.Exit(1)
 		}
 		testResult = (max & requested) == requested
 	}
 	if expectedResultPattern == "" {
 		return expectedResultPattern, testResult
 	}
--- a/check/test_test.go
+++ b/check/test_test.go
@ -666,6 +666,19 @@ func TestCompareOp(t *testing.T) {
 		{label: "op=valid_elements, valid_elements expectedResultPattern empty", op: "valid_elements", flagVal: "a,b",
 			compareValue: "", expectedResultPattern: "'a,b' contains valid elements from ''",
 			testResult: false},
 		// Test Op "bitmask"
 		{label: "op=bitmask, 644 AND 640", op: "bitmask", flagVal: "640",
 			compareValue: "644", expectedResultPattern: "bitmask '640' AND '644'",
 			testResult: true},
 		{label: "op=bitmask, 644 AND 777", op: "bitmask", flagVal: "777",
 			compareValue: "644", expectedResultPattern: "bitmask '777' AND '644'",
 			testResult: false},
 		{label: "op=bitmask, 644 AND 444", op: "bitmask", flagVal: "444",
 			compareValue: "644", expectedResultPattern: "bitmask '444' AND '644'",
 			testResult: true},
 		{label: "op=bitmask, 644 AND 211", op: "bitmask", flagVal: "211",
 			compareValue: "644", expectedResultPattern: "bitmask '211' AND '644'",
 			testResult: false},
 	}
 	for _, c := range cases {