mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2025-01-31 01:51:00 +00:00
Add option to do bitmask (#565)
* Add option to do bitwise and between two value in order to compare permissions * Update test.go Removed self debug note * Update test_test.go FIx typo * Update test.go * Update test.go Switched between max and requested value, because accidentally assigned them oppositely and remove old function relate to octal base * Update test_test.go * Update test_test.go
This commit is contained in:
yoavrotems
GitHub
parent
451721a1cf
commit
60f2fb592a
@ -844,45 +844,14 @@ groups:
|
|||||||
- id: 1.4.1
|
- id: 1.4.1
|
||||||
text: "Ensure that the API server pod specification file permissions are
|
text: "Ensure that the API server pod specification file permissions are
|
||||||
set to 644 or more restrictive (Scored)"
|
set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -909,45 +878,14 @@ groups:
|
|||||||
- id: 1.4.3
|
- id: 1.4.3
|
||||||
text: "Ensure that the controller manager pod specification file
|
text: "Ensure that the controller manager pod specification file
|
||||||
permissions are set to 644 or more restrictive (Scored)"
|
permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -974,45 +912,14 @@ groups:
|
|||||||
- id: 1.4.5
|
- id: 1.4.5
|
||||||
text: "Ensure that the scheduler pod specification file permissions are set
|
text: "Ensure that the scheduler pod specification file permissions are set
|
||||||
to 644 or more restrictive (Scored)"
|
to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -1039,45 +946,14 @@ groups:
|
|||||||
- id: 1.4.7
|
- id: 1.4.7
|
||||||
text: "Ensure that the etcd pod specification file permissions are set to
|
text: "Ensure that the etcd pod specification file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -1104,7 +980,7 @@ groups:
|
|||||||
- id: 1.4.9
|
- id: 1.4.9
|
||||||
text: "Ensure that the Container Network Interface file permissions are
|
text: "Ensure that the Container Network Interface file permissions are
|
||||||
set to 644 or more restrictive (Not Scored)"
|
set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c permissions=%a <path/to/cni/files>"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
[Manual test]
|
||||||
@ -1127,12 +1003,12 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.11
|
- id: 1.4.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
|
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "700"
|
value: "700"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -1161,45 +1037,14 @@ groups:
|
|||||||
- id: 1.4.13
|
- id: 1.4.13
|
||||||
text: "Ensure that the admin.conf file permissions are set to 644 or
|
text: "Ensure that the admin.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -1225,45 +1070,14 @@ groups:
|
|||||||
- id: 1.4.15
|
- id: 1.4.15
|
||||||
text: "Ensure that the scheduler.conf file permissions are set to 644 or
|
text: "Ensure that the scheduler.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
|
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
|
||||||
@ -1287,45 +1101,14 @@ groups:
|
|||||||
- id: 1.4.17
|
- id: 1.4.17
|
||||||
text: "Ensure that the controller-manager.conf file permissions are set
|
text: "Ensure that the controller-manager.conf file permissions are set
|
||||||
to 644 or more restrictive (Scored)"
|
to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
|
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
|
||||||
|
|||||||
@ -358,45 +358,14 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
@ -421,45 +390,14 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
@ -481,45 +419,14 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
@ -576,45 +483,14 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.10
|
- id: 2.2.10
|
||||||
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletconf
|
||||||
|
|||||||
@ -846,45 +846,14 @@ groups:
|
|||||||
- id: 1.4.1
|
- id: 1.4.1
|
||||||
text: "Ensure that the API server pod specification file permissions are
|
text: "Ensure that the API server pod specification file permissions are
|
||||||
set to 644 or more restrictive (Scored)"
|
set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -911,45 +880,14 @@ groups:
|
|||||||
- id: 1.4.3
|
- id: 1.4.3
|
||||||
text: "Ensure that the controller manager pod specification file
|
text: "Ensure that the controller manager pod specification file
|
||||||
permissions are set to 644 or more restrictive (Scored)"
|
permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -976,45 +914,14 @@ groups:
|
|||||||
- id: 1.4.5
|
- id: 1.4.5
|
||||||
text: "Ensure that the scheduler pod specification file permissions are set
|
text: "Ensure that the scheduler pod specification file permissions are set
|
||||||
to 644 or more restrictive (Scored)"
|
to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -1041,45 +948,14 @@ groups:
|
|||||||
- id: 1.4.7
|
- id: 1.4.7
|
||||||
text: "Ensure that the etcd pod specification file permissions are set to
|
text: "Ensure that the etcd pod specification file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -1106,7 +982,7 @@ groups:
|
|||||||
- id: 1.4.9
|
- id: 1.4.9
|
||||||
text: "Ensure that the Container Network Interface file permissions are
|
text: "Ensure that the Container Network Interface file permissions are
|
||||||
set to 644 or more restrictive (Not Scored)"
|
set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c permissions=%a <path/to/cni/files>"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
[Manual test]
|
||||||
@ -1129,12 +1005,12 @@ groups:
|
|||||||
|
|
||||||
- id: 1.4.11
|
- id: 1.4.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
|
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "700"
|
value: "700"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -1163,45 +1039,14 @@ groups:
|
|||||||
- id: 1.4.13
|
- id: 1.4.13
|
||||||
text: "Ensure that the admin.conf file permissions are set to 644 or
|
text: "Ensure that the admin.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -1227,45 +1072,14 @@ groups:
|
|||||||
- id: 1.4.15
|
- id: 1.4.15
|
||||||
text: "Ensure that the scheduler.conf file permissions are set to 644 or
|
text: "Ensure that the scheduler.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
|
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
|
||||||
@ -1289,45 +1103,14 @@ groups:
|
|||||||
- id: 1.4.17
|
- id: 1.4.17
|
||||||
text: "Ensure that the controller-manager.conf file permissions are set
|
text: "Ensure that the controller-manager.conf file permissions are set
|
||||||
to 644 or more restrictive (Scored)"
|
to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
|
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
|
||||||
@ -1370,43 +1153,12 @@ groups:
|
|||||||
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
|
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
@ -1419,9 +1171,9 @@ groups:
|
|||||||
type: "manual"
|
type: "manual"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "600"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
|||||||
@ -341,45 +341,14 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
@ -404,45 +373,14 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
@ -464,45 +402,14 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
@ -524,25 +431,15 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c permissions=%a $kubeletcafile; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
chmod 644 <filename>
|
chmod 644 <filename>
|
||||||
@ -577,45 +474,14 @@ groups:
|
|||||||
|
|
||||||
- id: 2.2.10
|
- id: 2.2.10
|
||||||
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletconf
|
||||||
|
|||||||
@ -10,45 +10,14 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 1.1.1
|
- id: 1.1.1
|
||||||
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the
|
Run the below command (based on the file location on your system) on the
|
||||||
master node.
|
master node.
|
||||||
@ -73,45 +42,14 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.3
|
- id: 1.1.3
|
||||||
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -136,45 +74,14 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.5
|
- id: 1.1.5
|
||||||
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -199,45 +106,14 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.7
|
- id: 1.1.7
|
||||||
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions=%a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -262,7 +138,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.9
|
- id: 1.1.9
|
||||||
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)"
|
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c permissions=%a <path/to/cni/files>"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
@ -282,12 +158,12 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
|
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "700"
|
value: "700"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -314,45 +190,14 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.13
|
- id: 1.1.13
|
||||||
text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -377,45 +222,14 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.15
|
- id: 1.1.15
|
||||||
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions=%a /etc/kubernetes/scheduler.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
@ -440,45 +254,14 @@ groups:
|
|||||||
|
|
||||||
- id: 1.1.17
|
- id: 1.1.17
|
||||||
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions=%a /etc/kubernetes/controller-manager.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
|
|||||||
@ -10,45 +10,14 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 4.1.1
|
- id: 4.1.1
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker node.
|
Run the below command (based on the file location on your system) on the each worker node.
|
||||||
For example,
|
For example,
|
||||||
@ -70,45 +39,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.1.3
|
- id: 4.1.3
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker node.
|
Run the below command (based on the file location on your system) on the each worker node.
|
||||||
For example,
|
For example,
|
||||||
@ -129,45 +67,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.1.5
|
- id: 4.1.5
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker node.
|
Run the below command (based on the file location on your system) on the each worker node.
|
||||||
For example,
|
For example,
|
||||||
@ -215,45 +122,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.1.9
|
- id: 4.1.9
|
||||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
||||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
set: true
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
- flag: "640"
|
|
||||||
set: true
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
- flag: "600"
|
|
||||||
set: true
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
bin_op: or
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletconf
|
||||||
|
|||||||
@ -815,12 +815,12 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 4.1
|
- id: 4.1
|
||||||
text: "Verify the OpenShift default permissions for the API server pod specification file"
|
text: "Verify the OpenShift default permissions for the API server pod specification file"
|
||||||
audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml"
|
audit: "stat -c permissions=%a /etc/origin/node/pods/apiserver.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "600"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -847,12 +847,12 @@ groups:
|
|||||||
|
|
||||||
- id: 4.3
|
- id: 4.3
|
||||||
text: "Verify the OpenShift default file permissions for the controller manager pod specification file"
|
text: "Verify the OpenShift default file permissions for the controller manager pod specification file"
|
||||||
audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
|
audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "600"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -879,18 +879,18 @@ groups:
|
|||||||
|
|
||||||
- id: 4.5
|
- id: 4.5
|
||||||
text: "Verify the OpenShift default permissions for the scheduler pod specification file"
|
text: "Verify the OpenShift default permissions for the scheduler pod specification file"
|
||||||
audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
|
audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "600"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command.
|
Run the below command.
|
||||||
|
|
||||||
chmod 600 stat -c %a /etc/origin/node/pods/controller.yaml
|
chmod 600 stat -c permissions=%a /etc/origin/node/pods/controller.yaml
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 4.6
|
- id: 4.6
|
||||||
@ -911,12 +911,12 @@ groups:
|
|||||||
|
|
||||||
- id: 4.7
|
- id: 4.7
|
||||||
text: "Verify the OpenShift default etcd pod specification file permissions"
|
text: "Verify the OpenShift default etcd pod specification file permissions"
|
||||||
audit: "stat -c %a /etc/origin/node/pods/etcd.yaml"
|
audit: "stat -c permissions=%a /etc/origin/node/pods/etcd.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "600"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -943,45 +943,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.9
|
- id: 4.9
|
||||||
text: "Verify the default OpenShift Container Network Interface file permissions"
|
text: "Verify the default OpenShift Container Network Interface file permissions"
|
||||||
audit: "stat -c %a /etc/origin/openvswitch/ /etc/cni/net.d/"
|
audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command.
|
Run the below command.
|
||||||
|
|
||||||
@ -1006,12 +975,12 @@ groups:
|
|||||||
|
|
||||||
- id: 4.11
|
- id: 4.11
|
||||||
text: "Verify the default OpenShift etcd data directory permissions"
|
text: "Verify the default OpenShift etcd data directory permissions"
|
||||||
audit: "stat -c %a /var/lib/etcd"
|
audit: "stat -c permissions=%a /var/lib/etcd"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "700"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "700"
|
value: "700"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -1040,45 +1009,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.13
|
- id: 4.13
|
||||||
text: "Verify the default OpenShift admin.conf file permissions"
|
text: "Verify the default OpenShift admin.conf file permissions"
|
||||||
audit: "stat -c %a /etc/origin/master/admin.kubeconfig"
|
audit: "stat -c permissions=%a /etc/origin/master/admin.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command.
|
Run the below command.
|
||||||
|
|
||||||
@ -1103,45 +1041,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.15
|
- id: 4.15
|
||||||
text: "Verify the default OpenShift scheduler.conf file permissions"
|
text: "Verify the default OpenShift scheduler.conf file permissions"
|
||||||
audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
|
audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command.
|
Run the below command.
|
||||||
|
|
||||||
@ -1166,45 +1073,14 @@ groups:
|
|||||||
|
|
||||||
- id: 4.17
|
- id: 4.17
|
||||||
text: "Verify the default Openshift controller-manager.conf file permissions"
|
text: "Verify the default Openshift controller-manager.conf file permissions"
|
||||||
audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
|
audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command.
|
Run the below command.
|
||||||
|
|
||||||
|
|||||||
@ -213,45 +213,14 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 8.1
|
- id: 8.1
|
||||||
text: "Verify the OpenShift default permissions for the kubelet.conf file"
|
text: "Verify the OpenShift default permissions for the kubelet.conf file"
|
||||||
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/origin/node/node.kubeconfig
|
chmod 644 /etc/origin/node/node.kubeconfig
|
||||||
@ -274,45 +243,14 @@ groups:
|
|||||||
|
|
||||||
- id: 8.3
|
- id: 8.3
|
||||||
text: "Verify the kubelet service file permissions of 644"
|
text: "Verify the kubelet service file permissions of 644"
|
||||||
audit: "stat -c %a $nodesvc"
|
audit: "stat -c permissions=%a $nodesvc"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 $nodesvc
|
chmod 644 $nodesvc
|
||||||
@ -335,45 +273,14 @@ groups:
|
|||||||
|
|
||||||
- id: 8.5
|
- id: 8.5
|
||||||
text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
|
text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
|
||||||
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/origin/node/node.kubeconfig
|
chmod 644 /etc/origin/node/node.kubeconfig
|
||||||
@ -396,45 +303,14 @@ groups:
|
|||||||
|
|
||||||
- id: 8.7
|
- id: 8.7
|
||||||
text: "Verify the OpenShift default permissions for the certificate authorities file."
|
text: "Verify the OpenShift default permissions for the certificate authorities file."
|
||||||
audit: "stat -c %a /etc/origin/node/client-ca.crt"
|
audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "permissions"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: bitmask
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
- flag: "444"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "444"
|
|
||||||
set: true
|
|
||||||
- flag: "440"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "440"
|
|
||||||
set: true
|
|
||||||
- flag: "400"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "400"
|
|
||||||
set: true
|
|
||||||
- flag: "000"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "000"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/origin/node/client-ca.crt
|
chmod 644 /etc/origin/node/client-ca.crt
|
||||||
|
|||||||
@ -210,8 +210,16 @@ func compareOp(tCompareOp string, flagVal string, tCompareValue string) (string,
|
|||||||
target := splitAndRemoveLastSeparator(tCompareValue, defaultArraySeparator)
|
target := splitAndRemoveLastSeparator(tCompareValue, defaultArraySeparator)
|
||||||
testResult = allElementsValid(s, target)
|
testResult = allElementsValid(s, target)
|
||||||
|
|
||||||
|
case "bitmask":
|
||||||
|
expectedResultPattern = "bitmask '%s' AND '%s'"
|
||||||
|
requested, err := strconv.ParseInt(flagVal, 8, 64)
|
||||||
|
max, err := strconv.ParseInt(tCompareValue, 8, 64)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Fprintf(os.Stderr, "Not numeric value - flag: %q - compareValue: %q %v\n", flagVal, tCompareValue, err)
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
testResult = (max & requested) == requested
|
||||||
}
|
}
|
||||||
|
|
||||||
if expectedResultPattern == "" {
|
if expectedResultPattern == "" {
|
||||||
return expectedResultPattern, testResult
|
return expectedResultPattern, testResult
|
||||||
}
|
}
|
||||||
|
|||||||
@ -666,6 +666,19 @@ func TestCompareOp(t *testing.T) {
|
|||||||
{label: "op=valid_elements, valid_elements expectedResultPattern empty", op: "valid_elements", flagVal: "a,b",
|
{label: "op=valid_elements, valid_elements expectedResultPattern empty", op: "valid_elements", flagVal: "a,b",
|
||||||
compareValue: "", expectedResultPattern: "'a,b' contains valid elements from ''",
|
compareValue: "", expectedResultPattern: "'a,b' contains valid elements from ''",
|
||||||
testResult: false},
|
testResult: false},
|
||||||
|
// Test Op "bitmask"
|
||||||
|
{label: "op=bitmask, 644 AND 640", op: "bitmask", flagVal: "640",
|
||||||
|
compareValue: "644", expectedResultPattern: "bitmask '640' AND '644'",
|
||||||
|
testResult: true},
|
||||||
|
{label: "op=bitmask, 644 AND 777", op: "bitmask", flagVal: "777",
|
||||||
|
compareValue: "644", expectedResultPattern: "bitmask '777' AND '644'",
|
||||||
|
testResult: false},
|
||||||
|
{label: "op=bitmask, 644 AND 444", op: "bitmask", flagVal: "444",
|
||||||
|
compareValue: "644", expectedResultPattern: "bitmask '444' AND '644'",
|
||||||
|
testResult: true},
|
||||||
|
{label: "op=bitmask, 644 AND 211", op: "bitmask", flagVal: "211",
|
||||||
|
compareValue: "644", expectedResultPattern: "bitmask '211' AND '644'",
|
||||||
|
testResult: false},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, c := range cases {
|
for _, c := range cases {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user