From 9abc03f8fd4194dc83642baff7a5844ff60dc7cf Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Tue, 11 Jul 2023 04:45:06 -0400 Subject: [PATCH] Fix node.yaml - 4.1.7 and 4.1.8 audit by adding uniq (#1472) --- cfg/ack-1.0/node.yaml | 4 ++-- cfg/cis-1.20/node.yaml | 4 ++-- cfg/cis-1.23/node.yaml | 4 ++-- cfg/cis-1.24/node.yaml | 4 ++-- cfg/cis-1.5/node.yaml | 4 ++-- cfg/cis-1.6/node.yaml | 4 ++-- cfg/cis-1.7/node.yaml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/cfg/ack-1.0/node.yaml b/cfg/ack-1.0/node.yaml index bab4b3a..19a0817 100644 --- a/cfg/ack-1.0/node.yaml +++ b/cfg/ack-1.0/node.yaml @@ -97,7 +97,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -114,7 +114,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: diff --git a/cfg/cis-1.20/node.yaml b/cfg/cis-1.20/node.yaml index 56081dd..2bb9499 100644 --- a/cfg/cis-1.20/node.yaml +++ b/cfg/cis-1.20/node.yaml @@ -98,7 +98,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -115,7 +115,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: diff --git a/cfg/cis-1.23/node.yaml b/cfg/cis-1.23/node.yaml index bfec111..7f93b33 100644 --- a/cfg/cis-1.23/node.yaml +++ b/cfg/cis-1.23/node.yaml @@ -97,7 +97,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -114,7 +114,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: diff --git a/cfg/cis-1.24/node.yaml b/cfg/cis-1.24/node.yaml index 8acf653..6ee5dbc 100644 --- a/cfg/cis-1.24/node.yaml +++ b/cfg/cis-1.24/node.yaml @@ -97,7 +97,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -114,7 +114,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index dafda45..1349054 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -106,7 +106,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -124,7 +124,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: diff --git a/cfg/cis-1.6/node.yaml b/cfg/cis-1.6/node.yaml index 78080d9..e396415 100644 --- a/cfg/cis-1.6/node.yaml +++ b/cfg/cis-1.6/node.yaml @@ -98,7 +98,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -115,7 +115,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: diff --git a/cfg/cis-1.7/node.yaml b/cfg/cis-1.7/node.yaml index 0846fc4..d4eabc9 100644 --- a/cfg/cis-1.7/node.yaml +++ b/cfg/cis-1.7/node.yaml @@ -97,7 +97,7 @@ groups: - id: 4.1.7 text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi tests: @@ -114,7 +114,7 @@ groups: - id: 4.1.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)" audit: | - CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}') + CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq) if test -z $CAFILE; then CAFILE=$kubeletcafile; fi if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi tests: