From e41755ba907aec20c20f403d0b2db993269a2df6 Mon Sep 17 00:00:00 2001 From: Huang Huang Date: Sun, 21 May 2023 16:39:51 +0800 Subject: [PATCH] cis-1.24: fix tests of 1.1.1 and 4.2.9 were wrong (#1423) fixes #1410 fixes #1421 --- cfg/cis-1.24/master.yaml | 6 +++--- cfg/cis-1.24/node.yaml | 6 +++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/cfg/cis-1.24/master.yaml b/cfg/cis-1.24/master.yaml index a13333d..bd11d8b 100644 --- a/cfg/cis-1.24/master.yaml +++ b/cfg/cis-1.24/master.yaml @@ -9,18 +9,18 @@ groups: text: "Control Plane Node Configuration Files" checks: - id: 1.1.1 - text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" + text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'" tests: test_items: - flag: "permissions" compare: op: bitmask - value: "644" + value: "600" remediation: | Run the below command (based on the file location on your system) on the control plane node. - For example, chmod 644 $apiserverconf + For example, chmod 600 $apiserverconf scored: true - id: 1.1.2 diff --git a/cfg/cis-1.24/node.yaml b/cfg/cis-1.24/node.yaml index f14817e..8acf653 100644 --- a/cfg/cis-1.24/node.yaml +++ b/cfg/cis-1.24/node.yaml @@ -350,8 +350,12 @@ groups: - flag: --event-qps path: '{.eventRecordQPS}' compare: - op: eq + op: gte value: 0 + - flag: --event-qps + path: '{.eventRecordQPS}' + set: false + bin_op: or remediation: | If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level. If using command line arguments, edit the kubelet service file