cis-1.24: fix tests of 1.1.1 and 4.2.9 were wrong (#1423)

fixes #1410
fixes #1421

cfg/cis-1.24/master.yaml

@@ -9,18 +9,18 @@ groups:
     text: "Control Plane Node Configuration Files"
     checks:
       - id: 1.1.1
-        text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
+        text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"
         audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
         tests:
           test_items:
             - flag: "permissions"
               compare:
                 op: bitmask
-                value: "644"
+                value: "600"
         remediation: |
           Run the below command (based on the file location on your system) on the
           control plane node.
-          For example, chmod 644 $apiserverconf
+          For example, chmod 600 $apiserverconf
         scored: true
 
       - id: 1.1.2

cfg/cis-1.24/node.yaml

@@ -350,8 +350,12 @@ groups:
             - flag: --event-qps
               path: '{.eventRecordQPS}'
               compare:
-                op: eq
+                op: gte
                 value: 0
+            - flag: --event-qps
+              path: '{.eventRecordQPS}'
+              set: false
+          bin_op: or
         remediation: |
           If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.
           If using command line arguments, edit the kubelet service file