From a6036bcfcf9652dfb850754d32a583686420e492 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Thu, 31 Aug 2017 17:39:40 +0100 Subject: [PATCH] =?UTF-8?q?Corrections=20to=20config=20file=20substitution?= =?UTF-8?q?s.=20Use=20=E2=80=9Ckubernetes=E2=80=9D=20as=20a=20fake=20compo?= =?UTF-8?q?nent=20name=20so=20we=20can=20more=20easily=20substitute=20?= =?UTF-8?q?=E2=80=9Ckubernetesconf=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cfg/config.yaml | 11 ++++++++--- cfg/master.yaml | 8 ++++---- cfg/node.yaml | 14 +++++++------- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/cfg/config.yaml b/cfg/config.yaml index 6836fd5..8ad2e89 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -14,8 +14,7 @@ master: - controllermanager - etcd - flanneld - # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the - # benchmark but is believed to now be obselete + # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark - kubernetes kubernetes: @@ -74,6 +73,11 @@ node: components: - kubelet - proxy + # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark + - kubernetes + + kubernetes: + defaultconf: /etc/kubernetes/config kubelet: bins: @@ -81,7 +85,8 @@ node: - "kubelet" confs: - /etc/kubernetes/kubelet.conf - - /etc/kubernetes/kubelet + - /etc/kubernetes/kubelet + defaultconf: "/etc/kubernetes/kubelet.conf" proxy: bins: diff --git a/cfg/master.yaml b/cfg/master.yaml index f54bf6a..dc9295e 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -636,7 +636,7 @@ groups: - id: 1.4.3 text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" tests: bin_op: or test_items: @@ -656,12 +656,12 @@ groups: value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chmod 644 $config" + \nFor example, chmod 644 $kubernetesconf" scored: true - id: 1.4.4 text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" tests: test_items: - flag: "root:root" @@ -670,7 +670,7 @@ groups: value: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chown root:root $config" + \nFor example, chown root:root $kubernetesconf" scored: true - id: 1.4.5 diff --git a/cfg/node.yaml b/cfg/node.yaml index a146baa..0a1c0b6 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -17,7 +17,7 @@ groups: op: eq value: false set: true - remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV + remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\"" scored: true @@ -199,7 +199,7 @@ groups: op: eq value: true set: true - remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"." scored: true @@ -213,7 +213,7 @@ groups: op: eq value: true set: true - remediation: "Edit the /etc/kubernetes/kubelet file on each node and set the KUBELET_ARGS parameter + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"." scored: true @@ -222,7 +222,7 @@ groups: checks: - id: 2.2.1 text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" tests: bin_op: or test_items: @@ -242,12 +242,12 @@ groups: value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $config" + \nFor example, chmod 644 $kubernetesconf" scored: true - id: 2.2.2 text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" tests: test_items: - flag: "root:root" @@ -256,7 +256,7 @@ groups: value: root:root set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $config" + \nFor example, chown root:root $kubernetesconf" scored: true - id: 2.2.3