From bd8dd3adcc17fb27cd78b543ca26fcab433ee872 Mon Sep 17 00:00:00 2001 From: Huang Huang Date: Mon, 28 Nov 2022 13:58:06 +0800 Subject: [PATCH] use $etcddatadir in more etcd related checks (#1331) --- cfg/cis-1.20/master.yaml | 8 +++++++- cfg/cis-1.23/master.yaml | 8 +++++++- cfg/cis-1.24/master.yaml | 16 ++++++++++++++-- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/cfg/cis-1.20/master.yaml b/cfg/cis-1.20/master.yaml index 10e5028..a57244d 100644 --- a/cfg/cis-1.20/master.yaml +++ b/cfg/cis-1.20/master.yaml @@ -176,7 +176,13 @@ groups: - id: 1.1.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G + audit: | + DATA_DIR='' + for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do + if test -d "$d"; then DATA_DIR="$d"; fi + done + if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi + stat -c %U:%G "$DATA_DIR" tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/cis-1.23/master.yaml b/cfg/cis-1.23/master.yaml index 8ed17af..db355bb 100644 --- a/cfg/cis-1.23/master.yaml +++ b/cfg/cis-1.23/master.yaml @@ -169,7 +169,13 @@ groups: - id: 1.1.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G + audit: | + DATA_DIR='' + for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do + if test -d "$d"; then DATA_DIR="$d"; fi + done + if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi + stat -c %U:%G "$DATA_DIR" tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/cis-1.24/master.yaml b/cfg/cis-1.24/master.yaml index b28cb0e..a13333d 100644 --- a/cfg/cis-1.24/master.yaml +++ b/cfg/cis-1.24/master.yaml @@ -147,7 +147,13 @@ groups: - id: 1.1.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a + audit: | + DATA_DIR='' + for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do + if test -d "$d"; then DATA_DIR="$d"; fi + done + if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi + stat -c permissions=%a "$DATA_DIR" tests: test_items: - flag: "permissions" @@ -163,7 +169,13 @@ groups: - id: 1.1.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" - audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G + audit: | + DATA_DIR='' + for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do + if test -d "$d"; then DATA_DIR="$d"; fi + done + if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi + stat -c %U:%G "$DATA_DIR" tests: test_items: - flag: "etcd:etcd"