arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity

use $etcddatadir in more etcd related checks (#1331)

Browse Source
This commit is contained in:
Huang Huang 2022-11-28 13:58:06 +08:00 committed by GitHub
parent 865817dfda
commit bd8dd3adcc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cfg/cis-1.20/master.yaml
View File

@ -176,7 +176,13 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"

8
cfg/cis-1.23/master.yaml
View File

@ -169,7 +169,13 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"

16
cfg/cis-1.24/master.yaml
View File

@ -147,7 +147,13 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -163,7 +169,13 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G "$DATA_DIR"
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"