@ -595,10 +595,14 @@ groups:
checks:
- id : 1.4 .1
text : "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
audit : "if test -e $apiserverconf; then stat -c %a $apiserverconf; fi"
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit : "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests:
test_items:
- flag : "644"
compare:
op : eq
value : "644"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $apiserverconf"
@ -606,10 +610,13 @@ groups:
- id : 1.4 .2
text : "Ensure that the apiserver file ownership is set to root:root (Scored)"
audit : " if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi"
audit : " /bin/sh -c ' if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi' "
tests:
test_items:
- flag : "root:root"
compare:
op : eq
value : "root:root"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chown root:root $apiserverconf"
@ -617,10 +624,13 @@ groups:
- id : 1.4 .3
text : "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit : " if test -e $config; then stat -c %a $config; fi"
audit : " /bin/sh -c ' if test -e $config; then stat -c %a $config; fi' "
tests:
test_items:
- flag : "644"
compare:
op : eq
value : "644"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $config"
@ -628,10 +638,13 @@ groups:
- id : 1.4 .4
text : "Ensure that the config file ownership is set to root:root (Scored)"
audit : " if test -e $config; then stat -c %U:%G $config; fi"
audit : " /bin/sh -c ' if test -e $config; then stat -c %U:%G $config; fi' "
tests:
test_items:
- flag : "root:root"
compare:
op : eq
value : "root:root"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chown root:root $config"
@ -639,10 +652,13 @@ groups:
- id : 1.4 .5
text : "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit : " if test -e $schedulerconf; then stat -c %a $schedulerconf; fi"
audit : " /bin/sh -c ' if test -e $schedulerconf; then stat -c %a $schedulerconf; fi' "
tests:
test_items:
- flag : "644"
compare:
op : eq
value : "644"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $schedulerconf"
@ -650,10 +666,13 @@ groups:
- id : 1.4 .6
text : "Ensure that the scheduler file ownership is set to root:root (Scored)"
audit : " if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi"
audit : " /bin/sh -c ' if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi' "
tests:
test_items:
- flag : "root:root"
compare:
op : eq
value : "root:root"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chown root:root $schedulerconf"
@ -661,10 +680,13 @@ groups:
- id : 1.4 .7
text : "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit : " if test -e $etcdconf; then stat -c %a $etcdconf; fi"
audit : " /bin/sh -c ' if test -e $etcdconf; then stat -c %a $etcdconf; fi' "
tests:
test_items:
- flag : "644"
compare:
op : eq
value : "644"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $etcdconf"
@ -672,10 +694,13 @@ groups:
- id : 1.4 .8
text : "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
audit : " if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi"
audit : " /bin/sh -c ' if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi' "
tests:
test_items:
- flag : "root:root"
compare:
op : eq
value : "root:root"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chown root:root $etcdconf"
@ -683,10 +708,13 @@ groups:
- id : 1.4 .9
text : "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit : " if test -e $flanneldconf; then stat -c %a $flanneldconf; fi"
audit : " /bin/sh -c ' if test -e $flanneldconf; then stat -c %a $flanneldconf; fi' "
tests:
test_items:
- flag : "644"
compare:
op : eq
value : "644"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $flanneldconf"
@ -694,10 +722,13 @@ groups:
- id : 1.4 .10
text : "Ensure that the flanneld file ownership is set to root:root (Scored)"
audit : " if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi"
audit : " /bin/sh -c ' if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi' "
tests:
test_items:
- flag : "root:root"
compare:
op : eq
value : "root:root"
set : true
remediation : "Run the below command (based on the file location on your system) on the master node.
\nFor example, chown root:root $flanneldconf"
@ -709,6 +740,9 @@ groups:
tests:
test_items:
- flag : "700"
compare:
op : eq
value : "700"
set : true
remediation : "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n