1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-28 19:08:15 +00:00

cis-1.24: fix tests of 1.1.1 and 4.2.9 were wrong (#1423)

fixes #1410
fixes #1421
This commit is contained in:
Huang Huang 2023-05-21 16:39:51 +08:00 committed by GitHub
parent 6de03bbd7d
commit e41755ba90
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 4 deletions

View File

@ -9,18 +9,18 @@ groups:
text: "Control Plane Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the
control plane node.
For example, chmod 644 $apiserverconf
For example, chmod 600 $apiserverconf
scored: true
- id: 1.1.2

View File

@ -350,8 +350,12 @@ groups:
- flag: --event-qps
path: '{.eventRecordQPS}'
compare:
op: eq
op: gte
value: 0
- flag: --event-qps
path: '{.eventRecordQPS}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.
If using command line arguments, edit the kubelet service file