mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 07:28:06 +00:00
Merge branch 'master' into json-config
This commit is contained in:
commit
91c6ef2155
File diff suppressed because it is too large
Load Diff
@ -1,376 +1,376 @@
|
|||||||
---
|
---
|
||||||
controls:
|
controls:
|
||||||
id: 2
|
id: 2
|
||||||
text: "Worker Node Security Configuration"
|
text: "Worker Node Security Configuration"
|
||||||
type: "node"
|
type: "node"
|
||||||
groups:
|
groups:
|
||||||
- id: 2.1
|
- id: 7
|
||||||
text: "Kubelet"
|
text: "Kubelet"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1
|
- id: 7.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
text: "Use Security Context Constraints to manage privileged containers as needed"
|
||||||
type: "skip"
|
type: "skip"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.2
|
- id: 7.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
text: "Ensure anonymous-auth is not disabled"
|
||||||
type: "skip"
|
type: "skip"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.3
|
- id: 7.3
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
text: "Verify that the --authorization-mode argument is set to WebHook"
|
||||||
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "authorization-mode"
|
- flag: "authorization-mode"
|
||||||
set: false
|
set: false
|
||||||
- flag: "authorization-mode: Webhook"
|
- flag: "authorization-mode: Webhook"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "Webhook"
|
value: "Webhook"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
|
||||||
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
|
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.4
|
- id: 7.4
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
text: "Verify the OpenShift default for the client-ca-file argument"
|
||||||
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "client-ca-file"
|
- flag: "client-ca-file"
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
|
||||||
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
|
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
|
||||||
|
|
||||||
Reset to the OpenShift default.
|
Reset to the OpenShift default.
|
||||||
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
|
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
|
||||||
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
|
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.5
|
- id: 7.5
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
text: "Verify the OpenShift default setting for the read-only-port argument"
|
||||||
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "read-only-port"
|
- flag: "read-only-port"
|
||||||
set: false
|
set: false
|
||||||
- flag: "read-only-port: 0"
|
- flag: "read-only-port: 0"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "0"
|
value: "0"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.6
|
- id: 7.6
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
text: "Adjust the streaming-connection-idle-timeout argument"
|
||||||
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "streaming-connection-idle-timeout"
|
- flag: "streaming-connection-idle-timeout"
|
||||||
set: false
|
set: false
|
||||||
- flag: "0"
|
- flag: "5m"
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
|
||||||
value like the following in node-config.yaml.
|
value like the following in node-config.yaml.
|
||||||
|
|
||||||
kubeletArguments:
|
kubeletArguments:
|
||||||
streaming-connection-idle-timeout:
|
streaming-connection-idle-timeout:
|
||||||
- "5m"
|
- "5m"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.7
|
- id: 7.7
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
|
||||||
type: "skip"
|
type: "skip"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.8
|
- id: 7.8
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
|
||||||
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "make-iptables-util-chains"
|
- flag: "make-iptables-util-chains"
|
||||||
set: false
|
set: false
|
||||||
- flag: "make-iptables-util-chains: true"
|
- flag: "make-iptables-util-chains: true"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "true"
|
value: "true"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
|
||||||
default value of true.
|
default value of true.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
id: 2.1.9
|
- id: 7.9
|
||||||
text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
|
text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
|
||||||
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "keep-terminated-pod-volumes: false"
|
- flag: "keep-terminated-pod-volumes: false"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "false"
|
value: "false"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Reset to the OpenShift defaults
|
Reset to the OpenShift defaults
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.10
|
- id: 7.10
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
text: "Verify the OpenShift defaults for the hostname-override argument"
|
||||||
type: "skip"
|
type: "skip"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 7.11
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
text: "Set the --event-qps argument to 0"
|
||||||
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "event-qps"
|
- flag: "event-qps"
|
||||||
set: false
|
set: false
|
||||||
- flag: "event-qps: 0"
|
- flag: "event-qps: 0"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "0"
|
value: "0"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
|
||||||
the kubeletArguments section of.
|
the kubeletArguments section of.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 7.12
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
|
||||||
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "/etc/origin/node/certificates"
|
- flag: "/etc/origin/node/certificates"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "/etc/origin/node/certificates"
|
value: "/etc/origin/node/certificates"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Reset to the OpenShift default values.
|
Reset to the OpenShift default values.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.13
|
- id: 7.13
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
|
||||||
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "cadvisor-port"
|
- flag: "cadvisor-port"
|
||||||
set: false
|
set: false
|
||||||
- flag: "cadvisor-port: 0"
|
- flag: "cadvisor-port: 0"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "0"
|
value: "0"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
|
||||||
if it is set in the kubeletArguments section.
|
if it is set in the kubeletArguments section.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.14
|
- id: 7.14
|
||||||
text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
|
text: "Verify that the RotateKubeletClientCertificate argument is set to true"
|
||||||
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
|
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "RotateKubeletClientCertificate=true"
|
- flag: "RotateKubeletClientCertificate=true"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "true"
|
value: "true"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.15
|
- id: 7.15
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
text: "Verify that the RotateKubeletServerCertificate argument is set to true"
|
||||||
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
|
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
|
||||||
test:
|
test:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "RotateKubeletServerCertificate=true"
|
- flag: "RotateKubeletServerCertificate=true"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "true"
|
value: "true"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
- id: 2.2
|
- id: 8
|
||||||
text: "Configuration Files"
|
text: "Configuration Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 8.1
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Verify the OpenShift default permissions for the kubelet.conf file"
|
||||||
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
- flag: "640"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
- flag: "600"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/origin/node/node.kubeconfig
|
chmod 644 /etc/origin/node/node.kubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 8.2
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
text: "Verify the kubeconfig file ownership of root:root"
|
||||||
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: root:root
|
value: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chown root:root /etc/origin/node/node.kubeconfig
|
chown root:root /etc/origin/node/node.kubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 8.3
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
|
text: "Verify the kubelet service file permissions of 644"
|
||||||
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
|
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
- flag: "640"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
- flag: "600"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/systemd/system/atomic-openshift-node.service
|
chmod 644 /etc/systemd/system/atomic-openshift-node.service
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 8.4
|
||||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
text: "Verify the kubelet service file ownership of root:root"
|
||||||
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
|
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: root:root
|
value: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chown root:root /etc/systemd/system/atomic-openshift-node.service
|
chown root:root /etc/systemd/system/atomic-openshift-node.service
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 8.5
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
|
||||||
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
- flag: "640"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
- flag: "600"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/origin/node/node.kubeconfig
|
chmod 644 /etc/origin/node/node.kubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 8.6
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
text: "Verify the proxy kubeconfig file ownership of root:root"
|
||||||
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: root:root
|
value: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chown root:root /etc/origin/node/node.kubeconfig
|
chown root:root /etc/origin/node/node.kubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 8.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
text: "Verify the OpenShift default permissions for the certificate authorities file."
|
||||||
audit: "stat -c %a /etc/origin/node/client-ca.crt"
|
audit: "stat -c %a /etc/origin/node/client-ca.crt"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
- flag: "640"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
- flag: "600"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chmod 644 /etc/origin/node/client-ca.crt
|
chmod 644 /etc/origin/node/client-ca.crt
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.8
|
- id: 8.8
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
text: "Verify the client certificate authorities file ownership of root:root"
|
||||||
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
|
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: root:root
|
value: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command on each worker node.
|
Run the below command on each worker node.
|
||||||
chown root:root /etc/origin/node/client-ca.crt
|
chown root:root /etc/origin/node/client-ca.crt
|
||||||
scored: true
|
scored: true
|
||||||
|
Loading…
Reference in New Issue
Block a user