|
|
|
@ -106,7 +106,7 @@ groups:
|
|
|
|
|
- id: 4.1.7
|
|
|
|
|
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
|
|
|
|
audit: |
|
|
|
|
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
|
|
|
|
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
|
|
|
|
|
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
|
|
|
|
|
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
|
|
|
|
|
tests:
|
|
|
|
@ -124,7 +124,7 @@ groups:
|
|
|
|
|
- id: 4.1.8
|
|
|
|
|
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
|
|
|
|
audit: |
|
|
|
|
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
|
|
|
|
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
|
|
|
|
|
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
|
|
|
|
|
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
|
|
|
|
|
tests:
|
|
|
|
|