@ -320,7 +320,7 @@ groups:
- id : 2.2 .1
text : "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $kubelet conf; then stat -c %a $kubeletconf; fi'"
audit : "/bin/sh -c 'if test -e $kubelet kube config ; then stat -c %a $kubeletkube config ; fi'"
tests:
bin_op : or
test_items:
@ -342,12 +342,12 @@ groups:
remediation : |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubelet conf
chmod 644 $kubelet kube config
scored : true
- id : 2.2 .2
text : "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit : "/bin/sh -c 'if test -e $kubelet conf; then stat -c %U:%G $kubeletconf; fi'"
audit : "/bin/sh -c 'if test -e $kubelet kube config ; then stat -c %U:%G $kubeletkube config ; fi'"
tests:
test_items:
- flag : "root:root"
@ -358,7 +358,7 @@ groups:
remediation : |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubelet conf
chown root:root $kubelet kube config
scored : true
- id : 2.2 .3
@ -404,7 +404,7 @@ groups:
- id : 2.2 .5
text : "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e $proxy conf; then stat -c %a $proxyconf; fi'"
audit : "/bin/sh -c 'if test -e $proxy kube config ; then stat -c %a $proxykube config ; fi'"
tests:
bin_op : or
test_items:
@ -426,12 +426,12 @@ groups:
remediation : |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxy conf
chmod 644 $proxy kube config
scored : true
- id : 2.2 .6
text : "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit : "/bin/sh -c 'if test -e $proxy conf; then stat -c %U:%G $proxyconf; fi'"
audit : "/bin/sh -c 'if test -e $proxy kube config ; then stat -c %U:%G $proxykube config ; fi'"
tests:
test_items:
- flag : "root:root"
@ -439,7 +439,7 @@ groups:
remediation : |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxy conf
chown root:root $proxy kube config
scored : true
- id : 2.2 .7
@ -462,19 +462,19 @@ groups:
- id : 2.2 .9
text : "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit : "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %U:%G /var/lib/kubelet/config.yaml ; fi'"
audit : "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf ; fi'"
tests:
test_items:
- flag : "root:root"
set : true
remediation : |
Run the following command (using the config file location identied in the Audit step)
chown root:root /etc/kubernetes/kubelet. conf
chown root:root $kubelet conf
scored : true
- id : 2.2 .10
text : "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit : "/bin/sh -c 'if test -e /var/lib/kubelet/config.yaml; then stat -c %a /var/lib/kubelet/config.yaml ; fi'"
audit : "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf ; fi'"
tests:
bin_op : or
test_items:
@ -495,5 +495,5 @@ groups:
set : true
remediation : |
Run the following command (using the config file location identied in the Audit step)
chmod 644 /var/lib/kubelet/config.yaml
chmod 644 $kubeletconf
scored : true