@ -320,7 +320,7 @@ groups:
- id : 2.2 .1
- id : 2.2 .1
text : "Ensure that the kubelet.conf file permissions are set to 644 or
text : "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $kubelet conf; then stat -c %a $kubeletconf; fi'"
audit : "/bin/sh -c 'if test -e $kubelet kube config ; then stat -c %a $kubeletkube config ; fi'"
tests:
tests:
bin_op : or
bin_op : or
test_items:
test_items:
@ -342,12 +342,12 @@ groups:
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker
node. For example,
node. For example,
chmod 644 $kubelet conf
chmod 644 $kubelet kube config
scored : true
scored : true
- id : 2.2 .2
- id : 2.2 .2
text : "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
text : "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit : "/bin/sh -c 'if test -e $kubelet conf; then stat -c %U:%G $kubeletconf; fi'"
audit : "/bin/sh -c 'if test -e $kubelet kube config ; then stat -c %U:%G $kubeletkube config ; fi'"
tests:
tests:
test_items:
test_items:
- flag : "root:root"
- flag : "root:root"
@ -358,7 +358,7 @@ groups:
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker
node. For example,
node. For example,
chown root:root $kubelet conf
chown root:root $kubelet kube config
scored : true
scored : true
- id : 2.2 .3
- id : 2.2 .3
@ -404,7 +404,7 @@ groups:
- id : 2.2 .5
- id : 2.2 .5
text : "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
text : "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $proxy conf; then stat -c %a $proxyconf; fi'"
audit : "/bin/sh -c 'if test -e $proxy kube config ; then stat -c %a $proxykube config ; fi'"
tests:
tests:
bin_op : or
bin_op : or
test_items:
test_items:
@ -426,12 +426,12 @@ groups:
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker
node. For example,
node. For example,
chmod 644 $proxy conf
chmod 644 $proxy kube config
scored : true
scored : true
- id : 2.2 .6
- id : 2.2 .6
text : "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
text : "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit : "/bin/sh -c 'if test -e $proxy conf; then stat -c %U:%G $proxyconf; fi'"
audit : "/bin/sh -c 'if test -e $proxy kube config ; then stat -c %U:%G $proxykube config ; fi'"
tests:
tests:
test_items:
test_items:
- flag : "root:root"
- flag : "root:root"
@ -439,7 +439,7 @@ groups:
remediation : |
remediation : |
Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker
node. For example,
node. For example,
chown root:root $proxy conf
chown root:root $proxy kube config
scored : true
scored : true
- id : 2.2 .7
- id : 2.2 .7
@ -462,19 +462,19 @@ groups:
- id : 2.2 .9
- id : 2.2 .9
text : "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
text : "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit : "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml ; fi'"
audit : "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf ; fi'"
tests:
tests:
test_items:
test_items:
- flag : "root:root"
- flag : "root:root"
set : true
set : true
remediation : |
remediation : |
Run the following command (using the config file location identied in the Audit step)
Run the following command (using the config file location identied in the Audit step)
chown root:root /etc/kubernetes/kubelet. conf
chown root:root $kubelet conf
scored : true
scored : true
- id : 2.2 .10
- id : 2.2 .10
text : "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
text : "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml ; fi'"
audit : "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf ; fi'"
tests:
tests:
bin_op : or
bin_op : or
test_items:
test_items:
@ -495,5 +495,5 @@ groups:
set : true
set : true
remediation : |
remediation : |
Run the following command (using the config file location identied in the Audit step)
Run the following command (using the config file location identied in the Audit step)
chmod 644 /var/lib/kubelet/config.yaml
chmod 644 $kubeletconf
scored : true
scored : true