Updated check to pass if flag isn't set (#375)

5 years ago · 893aa3588c
parent 937bfc7b2e
commit 893aa3588c
2 changed files with 6 additions and 0 deletions
--- a/cfg/1.11/master.yaml
+++ b/cfg/1.11/master.yaml
@ -153,12 +153,15 @@ groups:
    text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
    audit: "ps -ef | grep $apiserverbin | grep -v grep"
    tests:
+      bin_op: or
      test_items:
      - flag: "--enable-admission-plugins"
        compare:
          op: nothave
          value: AlwaysAdmit
        set: true
+      - flag: "--enable-admission-plugins"
+        set: false
    remediation: |
      Edit the API server pod specification file $apiserverconf
      on the master node and set the --enable-admission-plugins parameter to a
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
@ -153,12 +153,15 @@ groups:
    text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
    audit: "ps -ef | grep $apiserverbin | grep -v grep"
    tests:
+      bin_op: or
      test_items:
      - flag: "--enable-admission-plugins"
        compare:
          op: nothave
          value: AlwaysAdmit
        set: true
+      - flag: "--enable-admission-plugins"
+        set: false
    remediation: |
      Edit the API server pod specification file $apiserverconf
      on the master node and set the --enable-admission-plugins parameter to a