mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-22 06:38:06 +00:00
4.1.7 of cis-1.5 should not be marked as manual (#640)
* 4.1.7 of cis-1.5 should not be marked as manual * Making the test posix compliant like #643
This commit is contained in:
parent
50a9dca720
commit
66692951c8
@ -99,7 +99,17 @@ groups:
|
||||
|
||||
- id: 4.1.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
||||
types: "manual"
|
||||
audit: |
|
||||
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
|
||||
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
|
||||
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
set: true
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
remediation: |
|
||||
Run the following command to modify the file permissions of the
|
||||
--client-ca-file chmod 644 <filename>
|
||||
|
7
integration/testdata/cis-1.5/job-node.data
vendored
7
integration/testdata/cis-1.5/job-node.data
vendored
@ -6,7 +6,7 @@
|
||||
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||
@ -33,7 +33,6 @@ chmod 644 /etc/kubernetes/proxy.conf
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.7 audit test did not run: There are no tests
|
||||
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -81,7 +80,7 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary ==
|
||||
15 checks PASS
|
||||
16 checks PASS
|
||||
6 checks FAIL
|
||||
2 checks WARN
|
||||
1 checks WARN
|
||||
0 checks INFO
|
||||
|
7
integration/testdata/cis-1.5/job.data
vendored
7
integration/testdata/cis-1.5/job.data
vendored
@ -231,7 +231,7 @@ minimum.
|
||||
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||
@ -258,7 +258,6 @@ chmod 644 /etc/kubernetes/proxy.conf
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.7 audit test did not run: There are no tests
|
||||
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -306,9 +305,9 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary ==
|
||||
15 checks PASS
|
||||
16 checks PASS
|
||||
6 checks FAIL
|
||||
2 checks WARN
|
||||
1 checks WARN
|
||||
0 checks INFO
|
||||
[INFO] 5 Kubernetes Policies
|
||||
[INFO] 5.1 RBAC and Service Accounts
|
||||
|
Loading…
Reference in New Issue
Block a user