diff --git a/cfg/master.yaml b/cfg/master.yaml index 7005f95..e02f76f 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -599,12 +599,18 @@ groups: # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $apiserverconf" scored: true @@ -627,12 +633,18 @@ groups: text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $config" scored: true @@ -655,12 +667,18 @@ groups: text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $schedulerconf" scored: true @@ -683,12 +701,18 @@ groups: text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $etcdconf" scored: true @@ -711,12 +735,18 @@ groups: text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the master node. \nFor example, chmod 644 $flanneldconf" scored: true diff --git a/cfg/node.yaml b/cfg/node.yaml index 0b5b90b..5e43638 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -223,8 +223,17 @@ groups: text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $config" @@ -248,12 +257,18 @@ groups: text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: + bin_op: or test_items: - flag: "644" compare: op: eq value: 644 set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $kubeletconf" scored: true @@ -273,8 +288,17 @@ groups: text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. \nFor example, chmod 644 $proxyconf" @@ -296,8 +320,17 @@ groups: 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" tests: + bin_op: or test_items: - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "600" + compare: + op: eq + value: "600" set: true remediation: "Run the following command to modify the file permissions of the --client-ca-file \nchmod 644 " diff --git a/cmd/util.go b/cmd/util.go index 937e3e0..64950f2 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -69,7 +69,8 @@ func verifyConf(confPath ...string) { for _, c := range confPath { if _, err := os.Stat(c); err != nil && os.IsNotExist(err) { - continueWithError(err, "") + e := fmt.Errorf("configuration file %s not found", c) + continueWithError(e, "") missing += c + ", " } } @@ -93,8 +94,9 @@ func verifyBin(binPath ...string) { bin = bin + "," + b binSlice = append(binSlice, b) if err != nil { + e := fmt.Errorf("executable file %s not found", b) + continueWithError(e, "") missing += b + ", " - continueWithError(err, "") } } bin = strings.Trim(bin, ",")