Issue #421: Merges PR #422 with master (#523)

* Add kubeconfig location of kube-proxy for AKS

* Add job for AKS node

* Automate ca file permission check

* removed job-aks.yaml as other PRs added needed features

* fixed integration test due to merge changes

cfg/cis-1.4/master.yaml

@@ -1215,7 +1215,7 @@ groups:
         set: true
     remediation: |
       [Manual test]
-      Run the below command (based on the file location on your system) on the master node. 
+      Run the below command (based on the file location on your system) on the master node.
       For example, chown -R root:root /etc/kubernetes/pki/
     scored: true
     
@@ -1243,7 +1243,7 @@ groups:
           set: true
     remediation: |
       [Manual test]
-      Run the below command (based on the file location on your system) on the master node. 
+      Run the below command (based on the file location on your system) on the master node.
       For example, chmod -R 644 /etc/kubernetes/pki/*.crt
     scored: true
     
@@ -1260,7 +1260,7 @@ groups:
           set: true
     remediation: |
       [Manual test]
-      Run the below command (based on the file location on your system) on the master node. 
+      Run the below command (based on the file location on your system) on the master node.
       For example, chmod -R 600 /etc/kubernetes/pki/*.key
     scored: true
 

cfg/cis-1.4/node.yaml

@@ -464,8 +464,25 @@ groups:
 
   - id: 2.2.7
     text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
-    type: manual
-    tests: {}
+    audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "644"
+        compare:
+          op: eq
+          value: "644"
+        set: true
+      - flag: "640"
+        compare:
+          op: eq
+          value: "640"
+        set: true
+      - flag: "600"
+        compare:
+          op: eq
+          value: "600"
+        set: true
     remediation: |
       Run the following command to modify the file permissions of the --client-ca-file
       chmod 644 <filename>

cfg/config.yaml

@@ -135,7 +135,8 @@ node:
       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
       - /var/snap/kube-proxy/current/args
     kubeconfig:
-      - /etc/kubernetes/kubelet-kubeconfig
+      - "/etc/kubernetes/kubelet-kubeconfig"
+      - "/var/lib/kubelet/kubeconfig"
     svc:
       - "/lib/systemd/system/kube-proxy.service"
     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

integration/testdata/job-master.data

@@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
 chown etcd:etcd /var/lib/etcd
 
 1.4.19 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chown -R root:root /etc/kubernetes/pki/
 
 1.4.20 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 644 /etc/kubernetes/pki/*.crt
 
 1.4.21 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 600 /etc/kubernetes/pki/*.key
 
 1.5.1 Follow the etcd service documentation and configure TLS encryption.

integration/testdata/job-node.data

@@ -21,7 +21,7 @@
 [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
 [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
 [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
-[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
+[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
 [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
 [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
 [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf
 node. For example,
 chown root:root /etc/kubernetes/proxy.conf
 
-2.2.7 Run the following command to modify the file permissions of the --client-ca-file
-chmod 644 <filename>
-
 
 == Summary ==
-15 checks PASS
+16 checks PASS
 7 checks FAIL
-1 checks WARN
+0 checks WARN
 1 checks INFO

integration/testdata/job.data

@@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
 chown etcd:etcd /var/lib/etcd
 
 1.4.19 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chown -R root:root /etc/kubernetes/pki/
 
 1.4.20 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 644 /etc/kubernetes/pki/*.crt
 
 1.4.21 [Manual test]
-Run the below command (based on the file location on your system) on the master node. 
+Run the below command (based on the file location on your system) on the master node.
 For example, chmod -R 600 /etc/kubernetes/pki/*.key
 
 1.5.1 Follow the etcd service documentation and configure TLS encryption.
@@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
 [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
 [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
 [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
-[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
+[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
 [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
 [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
 [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf
 node. For example,
 chown root:root /etc/kubernetes/proxy.conf
 
-2.2.7 Run the following command to modify the file permissions of the --client-ca-file
-chmod 644 <filename>
-
 
 == Summary ==
-15 checks PASS
+16 checks PASS
 7 checks FAIL
-1 checks WARN
+0 checks WARN
 1 checks INFO