arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-19 21:28:07 +00:00
Code Issues Releases Wiki Activity

fix: change the folder name for certificate files in rke-1.23 and rke-1.24, fixes #1747 (#1749)

Browse Source
This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2024-12-16 05:44:08 +00:00 committed by GitHub
parent fbb674c450
commit f0f89b2707
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cfg/rke-cis-1.23/master.yaml
View File

@ -263,7 +263,7 @@ groups:
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" audit: "check_files_owner_in_dir.sh /etc/kubernetes/ssl"
tests: tests:
test_items: test_items:
- flag: "true" - flag: "true"

4
cfg/rke-cis-1.23/node.yaml
View File

@ -93,7 +93,7 @@ groups:
- id: 4.1.7 - id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Automated)" text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Automated)"
audit: "stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem" audit: "stat -c permissions=%a /etc/kubernetes/ssl/kube-ca.pem"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
@ -107,7 +107,7 @@ groups:
- id: 4.1.8 - id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem" audit: "stat -c %U:%G /etc/kubernetes/ssl/kube-ca.pem"
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root

10
cfg/rke-cis-1.24/master.yaml
View File

@ -272,7 +272,7 @@ groups:
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl" audit: "check_files_owner_in_dir.sh /etc/kubernetes/ssl"
tests: tests:
test_items: test_items:
- flag: "true" - flag: "true"
@ -289,7 +289,7 @@ groups:
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)"
audit: | audit: |
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi if test -n "$(find /etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -301,13 +301,13 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} + find /etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} +
scored: true scored: true
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)" text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
audit: | audit: |
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi if test -n "$(find /etc/kubernetes/ssl/ -name '*.pem')"; then find /etc/kubernetes/ssl/ -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -319,7 +319,7 @@ groups:
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} + find /etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} +
scored: true scored: true
- id: 1.2 - id: 1.2

4
cfg/rke-cis-1.24/node.yaml
View File

@ -92,7 +92,7 @@ groups:
- id: 4.1.7 - id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automated)"
audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"' audit: '/bin/sh -c "if test -e /etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -107,7 +107,7 @@ groups:
scored: true scored: true
- id: 4.1.8 - id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit: '/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"' audit: '/bin/sh -c "if test -e /etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests: tests:
bin_op: or bin_op: or
test_items: test_items: