@ -846,45 +846,14 @@ groups:
- id : 1.4 .1
text : "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit : "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions= %a $apiserverconf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -911,45 +880,14 @@ groups:
- id : 1.4 .3
text : "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
audit : "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions= %a $controllermanagerconf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -976,45 +914,14 @@ groups:
- id : 1.4 .5
text : "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
audit : "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions= %a $schedulerconf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1041,45 +948,14 @@ groups:
- id : 1.4 .7
text : "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
audit : "/bin/sh -c 'if test -e $etcdconf; then stat -c permissions= %a $etcdconf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1106,7 +982,7 @@ groups:
- id : 1.4 .9
text : "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit : "stat -c %a <path/to/cni/files>"
audit : "stat -c permissions= %a <path/to/cni/files>"
type : "manual"
remediation : |
[ Manual test]
@ -1129,12 +1005,12 @@ groups:
- id : 1.4 .11
text : "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit : ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
audit : ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions= %a
tests:
test_items:
- flag : " 700 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "700"
set : true
remediation : |
@ -1163,45 +1039,14 @@ groups:
- id : 1.4 .13
text : "Ensure that the admin.conf file permissions are set to 644 or
more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions= %a /etc/kubernetes/admin.conf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the master node.
For example,
@ -1227,45 +1072,14 @@ groups:
- id : 1.4 .15
text : "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c %a /etc/kubernetes/scheduler.conf; fi'"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/scheduler.conf; then stat -c permissions= %a /etc/kubernetes/scheduler.conf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/scheduler.conf
@ -1289,45 +1103,14 @@ groups:
- id : 1.4 .17
text : "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c %a /etc/kubernetes/controller-manager.conf; fi'"
audit : "/bin/sh -c 'if test -e /etc/kubernetes/controller-manager.conf; then stat -c permissions= %a /etc/kubernetes/controller-manager.conf; fi'"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
Run the below command (based on the file location on your system) on the
master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf
@ -1370,43 +1153,12 @@ groups:
audit : "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
type : "manual"
tests:
bin_op : or
test_items:
- flag : " 644 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "644"
set : true
- flag : "640"
compare:
op : eq
value : "640"
set : true
- flag : "600"
compare:
op : eq
value : "600"
set : true
- flag : "444"
compare:
op : eq
value : "444"
set : true
- flag : "440"
compare:
op : eq
value : "440"
set : true
- flag : "400"
compare:
op : eq
value : "400"
set : true
- flag : "000"
compare:
op : eq
value : "000"
set : true
remediation : |
[ Manual test]
Run the below command (based on the file location on your system) on the master node.
@ -1419,9 +1171,9 @@ groups:
type : "manual"
tests:
test_items:
- flag : " 600 "
- flag : " permissions "
compare:
op : eq
op : bitmask
value : "600"
set : true
remediation : |