From 6684979741919bdbf495d29102f26845ae517e5a Mon Sep 17 00:00:00 2001 From: Huang Huang Date: Mon, 10 Aug 2020 04:44:42 +0800 Subject: [PATCH] =?UTF-8?q?Add=20tests=20for=201.1.19=E3=80=811.1.20=20and?= =?UTF-8?q?=201.1.21=20of=20cis-1.5=20(#641)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5 * Avoid division by 0 * Use bitmask instead of lte * Change to use multiple values via `use_multiple_values: true` * Use find in 1.1.20 and 1.1.21 --- cfg/cis-1.5/master.yaml | 33 ++++++++++++++++---- integration/testdata/cis-1.5/job-master.data | 22 +++---------- integration/testdata/cis-1.5/job.data | 22 +++---------- 3 files changed, 37 insertions(+), 40 deletions(-) diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index c6c949a..58806cd 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -287,8 +287,15 @@ groups: - id: 1.1.19 text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)" - audit: "ls -laR /etc/kubernetes/pki/" - type: "manual" + audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G" + use_multiple_values: true + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -297,8 +304,15 @@ groups: - id: 1.1.20 text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt" - type: "manual" + audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "644" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -307,8 +321,15 @@ groups: - id: 1.1.21 text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)" - audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key" - type: "manual" + audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a" + use_multiple_values: true + tests: + test_items: + - flag: "permissions" + compare: + op: bitmask + value: "600" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, diff --git a/integration/testdata/cis-1.5/job-master.data b/integration/testdata/cis-1.5/job-master.data index df42aed..a274118 100644 --- a/integration/testdata/cis-1.5/job-master.data +++ b/integration/testdata/cis-1.5/job-master.data @@ -18,9 +18,9 @@ [PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored) [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) -[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) -[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) -[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) +[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) +[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) +[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) [INFO] 1.2 API Server [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) @@ -84,18 +84,6 @@ ps -ef | grep etcd Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd -1.1.19 Run the below command (based on the file location on your system) on the master node. -For example, -chown -R root:root /etc/kubernetes/pki/ - -1.1.20 Run the below command (based on the file location on your system) on the master node. -For example, -chmod -R 644 /etc/kubernetes/pki/*.crt - -1.1.21 Run the below command (based on the file location on your system) on the master node. -For example, -chmod -R 600 /etc/kubernetes/pki/*.key - 1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --anonymous-auth=false @@ -182,7 +170,7 @@ on the master node and set the below parameter. == Summary == -41 checks PASS +44 checks PASS 13 checks FAIL -11 checks WARN +8 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data index a11293c..fdfd568 100644 --- a/integration/testdata/cis-1.5/job.data +++ b/integration/testdata/cis-1.5/job.data @@ -18,9 +18,9 @@ [PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored) [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) -[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) -[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) -[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) +[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) +[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) +[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) [INFO] 1.2 API Server [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) @@ -84,18 +84,6 @@ ps -ef | grep etcd Run the below command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd -1.1.19 Run the below command (based on the file location on your system) on the master node. -For example, -chown -R root:root /etc/kubernetes/pki/ - -1.1.20 Run the below command (based on the file location on your system) on the master node. -For example, -chmod -R 644 /etc/kubernetes/pki/*.crt - -1.1.21 Run the below command (based on the file location on your system) on the master node. -For example, -chmod -R 600 /etc/kubernetes/pki/*.key - 1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --anonymous-auth=false @@ -182,9 +170,9 @@ on the master node and set the below parameter. == Summary == -41 checks PASS +44 checks PASS 13 checks FAIL -11 checks WARN +8 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration [INFO] 2 Etcd Node Configuration Files