arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-08-01 19:38:27 +00:00
Code Issues Releases Wiki Activity

fix(audit): improve of etcd, controller, and scheduler audits

Browse Source 
- Updated 1.1.11 to wrap etcd data directory stat in a conditional check.
- Updated 1.3.7 and 1.4.2 to conditionally check if the controller manager and scheduler binaries exist before running ps/grep.
This commit is contained in:
mjshastha 2025-06-03 13:09:54 +05:30
parent b6a88e8282
commit b1c014e9db
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cfg/rke-cis-1.7/master.yaml
View File

@ -171,14 +171,12 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: stat -c %a /var/lib/etcd audit: '/bin/sh -c "if test -e /var/lib/etcd; then stat -c %a /var/lib/etcd; else echo \"Directory not found\"; fi"'
tests: tests:
bin_op: or
test_items: test_items:
- flag: "700" - flag: "700"
compare: - flag: "Directory not found"
op: eq
value: "700"
set: true
remediation: | remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir, On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'. from the command 'ps -ef | grep etcd'.
@ -947,14 +945,16 @@ groups:
- id: 1.3.7 - id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" audit: '/bin/sh -c "if test -e $controllermanagerbin; then /bin/ps -ef | grep $controllermanagerbin | grep -v grep; else echo \"Controller manager binary not found\"; fi"'
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true set: true
- flag: "Controller manager binary not found"
remediation: | remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter
@ -980,14 +980,16 @@ groups:
- id: 1.4.2 - id: 1.4.2
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" audit: '/bin/sh -c "if test -e $schedulerbin; then /bin/ps -ef | grep $schedulerbin | grep -v grep; else echo \"Scheduler binary not found\"; fi"'
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true set: true
- flag: "Scheduler binary not found"
remediation: | remediation: |
Edit the Scheduler pod specification file $schedulerconf Edit the Scheduler pod specification file $schedulerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter