mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
4.1.7 of cis-1.5 should not be marked as manual (#640)
* 4.1.7 of cis-1.5 should not be marked as manual * Making the test posix compliant like #643
This commit is contained in:
parent
50a9dca720
commit
66692951c8
@ -99,7 +99,17 @@ groups:
|
|||||||
|
|
||||||
- id: 4.1.7
|
- id: 4.1.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
||||||
types: "manual"
|
audit: |
|
||||||
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
|
||||||
|
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
|
||||||
|
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "permissions"
|
||||||
|
set: true
|
||||||
|
compare:
|
||||||
|
op: bitmask
|
||||||
|
value: "644"
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command to modify the file permissions of the
|
Run the following command to modify the file permissions of the
|
||||||
--client-ca-file chmod 644 <filename>
|
--client-ca-file chmod 644 <filename>
|
||||||
|
7
integration/testdata/cis-1.5/job-node.data
vendored
7
integration/testdata/cis-1.5/job-node.data
vendored
@ -6,7 +6,7 @@
|
|||||||
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||||
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||||
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||||
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||||
@ -33,7 +33,6 @@ chmod 644 /etc/kubernetes/proxy.conf
|
|||||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||||
|
|
||||||
4.1.7 audit test did not run: There are no tests
|
|
||||||
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
|
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||||
@ -81,7 +80,7 @@ systemctl restart kubelet.service
|
|||||||
|
|
||||||
|
|
||||||
== Summary ==
|
== Summary ==
|
||||||
15 checks PASS
|
16 checks PASS
|
||||||
6 checks FAIL
|
6 checks FAIL
|
||||||
2 checks WARN
|
1 checks WARN
|
||||||
0 checks INFO
|
0 checks INFO
|
||||||
|
7
integration/testdata/cis-1.5/job.data
vendored
7
integration/testdata/cis-1.5/job.data
vendored
@ -231,7 +231,7 @@ minimum.
|
|||||||
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||||
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||||
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||||
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||||
@ -258,7 +258,6 @@ chmod 644 /etc/kubernetes/proxy.conf
|
|||||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||||
|
|
||||||
4.1.7 audit test did not run: There are no tests
|
|
||||||
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
|
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||||
@ -306,9 +305,9 @@ systemctl restart kubelet.service
|
|||||||
|
|
||||||
|
|
||||||
== Summary ==
|
== Summary ==
|
||||||
15 checks PASS
|
16 checks PASS
|
||||||
6 checks FAIL
|
6 checks FAIL
|
||||||
2 checks WARN
|
1 checks WARN
|
||||||
0 checks INFO
|
0 checks INFO
|
||||||
[INFO] 5 Kubernetes Policies
|
[INFO] 5 Kubernetes Policies
|
||||||
[INFO] 5.1 RBAC and Service Accounts
|
[INFO] 5.1 RBAC and Service Accounts
|
||||||
|
Loading…
Reference in New Issue
Block a user