diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 1b787c3..bdf0ffc 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -99,7 +99,17 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - types: "manual" + audit: | + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + if test -z $CAFILE; then CAFILE=$kubeletcafile; fi + if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi + tests: + test_items: + - flag: "permissions" + set: true + compare: + op: bitmask + value: "644" remediation: | Run the following command to modify the file permissions of the --client-ca-file chmod 644 diff --git a/integration/testdata/cis-1.5/job-node.data b/integration/testdata/cis-1.5/job-node.data index 5de99b8..843a247 100644 --- a/integration/testdata/cis-1.5/job-node.data +++ b/integration/testdata/cis-1.5/job-node.data @@ -6,7 +6,7 @@ [FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) [PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored) -[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) +[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) @@ -33,7 +33,6 @@ chmod 644 /etc/kubernetes/proxy.conf 4.1.4 Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/kubernetes/proxy.conf -4.1.7 audit test did not run: There are no tests 4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and @@ -81,7 +80,7 @@ systemctl restart kubelet.service == Summary == -15 checks PASS +16 checks PASS 6 checks FAIL -2 checks WARN +1 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data index 4800169..a11293c 100644 --- a/integration/testdata/cis-1.5/job.data +++ b/integration/testdata/cis-1.5/job.data @@ -231,7 +231,7 @@ minimum. [FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) [PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored) -[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) +[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) @@ -258,7 +258,6 @@ chmod 644 /etc/kubernetes/proxy.conf 4.1.4 Run the below command (based on the file location on your system) on the each worker node. For example, chown root:root /etc/kubernetes/proxy.conf -4.1.7 audit test did not run: There are no tests 4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0. If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and @@ -306,9 +305,9 @@ systemctl restart kubelet.service == Summary == -15 checks PASS +16 checks PASS 6 checks FAIL -2 checks WARN +1 checks WARN 0 checks INFO [INFO] 5 Kubernetes Policies [INFO] 5.1 RBAC and Service Accounts