cis-1.24: fix tests of 1.1.1 and 4.2.9 were wrong (#1423)

fixes #1410 fixes #1421
2024-11-25 09:28:16 +00:00 · 2023-05-21 16:39:51 +08:00 · 2023-05-21 16:39:51 +08:00 · e41755ba90
commit e41755ba90
parent 6de03bbd7d
2 changed files with 8 additions and 4 deletions
--- a/cfg/cis-1.24/master.yaml
+++ b/cfg/cis-1.24/master.yaml
@ -9,18 +9,18 @@ groups:
    text: "Control Plane Node Configuration Files"
    checks:
      - id: 1.1.1
-        text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
+        text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"
        audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
        tests:
          test_items:
            - flag: "permissions"
              compare:
                op: bitmask
-                value: "644"
+                value: "600"
        remediation: |
          Run the below command (based on the file location on your system) on the
          control plane node.
-          For example, chmod 644 $apiserverconf
+          For example, chmod 600 $apiserverconf
        scored: true

      - id: 1.1.2
--- a/cfg/cis-1.24/node.yaml
+++ b/cfg/cis-1.24/node.yaml
@ -350,8 +350,12 @@ groups:
            - flag: --event-qps
              path: '{.eventRecordQPS}'
              compare:
-                op: eq
+                op: gte
                value: 0
+            - flag: --event-qps
+              path: '{.eventRecordQPS}'
+              set: false
+          bin_op: or
        remediation: |
          If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.
          If using command line arguments, edit the kubelet service file